Hello,
Assuming that I have a universal forwarder configured to monitor a directory of flat files, e.g. /var/log/, what happens if the following sequence of events happens?
Universal forwarder is monitoring files in /var/log
Universal forwarder crashes for some reason, or someone accidentally kills the process
Files in /var/log are modified, written to, etc. Assume a large number of changes have been made
Universal forwarder is restarted
In this situation, will the universal forwarder simply check through /var/log for any modified files, and send all the changes in the logs to the indexer at one go, thus possibly saturating the network bandwidth?
I believe the universal forwarder's max throughput is 256 kb/s, so if there's a large amount of changes, will it always attempt to send data to the indexer at this maximum rate?
Is there any way to throttle the universal forwarder's sending rate?
... View more