I've installed a few Universal Forwarders on Windows laptops that are not consistently connected to the network. One machine did seem to cache events and forward them when reconnected, but another did not. My hypothesis is that this is because the first machine was only ever placed into hibernation, not shutdown or restarted, so the in-memory queue was preserved, whereas the other was shutdown.
That said, I need to maintain these logs regardless of connectivity. From my research, I believe that two settings should achieve these goals: `useACK = true` in the output stanza, and `persistentQueueSize = 100MB` in each input stanza. This should cause all events to be written to disk until such time as the indexer is available.
Is this a reasonable approach? I understand that there's some network and disk overhead involved, but is there any reason why this wouldn't work in the way I understand? Thanks for suggestions,
↧