We are using Splunk Enterprise server to send logs to be indexed. The monitor config is stored in '/opt/splunk/etc/system/local/inputs.conf'. An example monitor config is [monitor:///var/log/audit/audit.log] sourcetype = linux_logs index = splunk_server disabled = false But when splunk is restarted, the logs are not being sent and indexed. On looking the splunkd.log file, there was WARN FilesystemChangeWatcher [9172 MainTailingThread] - error getting attributes of path "/var/log/aide/aide.log": Permission denied this warning. Adding splunk user to root/sudo group didn't fix the issue. Note: We are using Splunk Enterprise server to send logs to itself through input.config file mentioned in this post (https://community.splunk.com/t5/Deployment-Architecture/Configure-a-Receiver-to-Forward-to-itself/m-p/128441)
... View more