Currently, we have this in /opt/splunkforwarder/etc/log.cfg:
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
I want to change the logging location to /var/log and wondering if it can be done by doing this:
appender.A1.fileName=/var/log/splunk/splunkd.log
If so, Does splunk need to be restarted after this change to log.cfg?
For any manual change in configs, splunk needs a restart
Ref : http://docs.splunk.com/Documentation/Splunk/6.2.0/Troubleshooting/Enabledebuglogging