I had this problem, I tried everything from several sources, the issue was resolved by getting the right permissions on the /var/log/secure file or files if logs are rolled locally. I had to open a ticket to splunk and send the diag file from the forwarding server. All they could tell me it was a permissions issue. As splunk did not have access to the files. I noticed other logs could be obtained fine from the /var/logs folder like update.log I could see that the permissions on that were -rw-r--r-- so I changed from -rw------- , the way to do this is chmod 644 as root, then you will have -rw-r--r-- I didn't even have to restart the forwarder, it instantly started working. ... View more