mattlemay, your question wasn't originally clear that it wasn't picking up all the logs. It sounds as if you are unhappy that it picked up those logs you have listed.
Firstly have you got permissions to access those files if Splunk is not running as root? It shouldn't really be able to access the ones you've listed but always good to check just in-case.
Secondly could you post your inputs.conf from the forwarder please?
Thirdly if you are running syslog-ng or rsyslog you could always bypass the forwarder altogether and add a statement like;
*.* @IP
to your syslog.conf (or rsyslog.conf or someother similar purmutation) in the /etc, /etc/syslog (or where-ever it may be!)
where the IP is your splunk server and configure your splunk instance to receive on port 514 (assuming it uses this as the default, which most do)
The forwarder is great for forwarding non-syslog files, load balancing across multiple forwarders and for integration with a deployment server for centralised management. If you have a one to one relationship however you might find it easier to use the syslog method. From memory I believe the weblogs will utilize this on the system but you may need to do a quick test first.
You're right that this is trivial and Splunk normally handles this folder fine - infact its usually the first place alot of people head when demo-ing to customers to show its ease of use and ability to recursively index a folder 🙂
We just need to figure out what is stopping it on your setup
... View more