we have a syslog server with UF installed on it and my inputs.conf states /opt/splunk/syslogs/cisco/acs/*/* and my logrotate.d has syslog-ng that states /opt/splunk/syslogs/*/*/*/syslog. Due to the logrotate daily cron job there are directroies created with dateext and .gz in the same directory and Splunk forwarder is reading them and resending it to indexers how do i stop this?
↧