Thanks Frank,
Will try the option to look into the metrics.log file.
We have configured the heavy forwarders to receive logs from the unix hosts and forward it to the indexer as we aren't using the splunk universal forwarder like we do for windows.
So these HF's would act as the centralized syslog server, who would accumulate the logs and then send it to the Indexers in real time.
I understood the idea of forwarding the logs to the centralized syslog server and then forward it to the splunk HF/Indexer. Wouldn't there be too many components in this scenario and also i am not sure if the logs if not forwarded by the system it originates from would have a different timestamp/hostname by the time it reaches the HF/Indexers.they could have the timestamp of the centralized syslog server, which is used to forward the data.
... View more