Hey Guys,
im trying to configure an Splunk Heavy Forwarder, to cache his Windows Event Logs on the local Disk, in case the Indexer(in this scenario a thrid-party-system on a other server) is unreachable, and send it to the Indexer as soon as he is online again.
If tried to configure it in the Inputs.conf in this way:
[default]
host = server.domain
[WinEventLog:System]
persistentQueueSize=100GB
[WinEventLog:Security]
persistentQueueSize=100GB
Now i read this article: link text which says, that it is impossible to cache Windows event log data on the local disk(At least not with the persistentQueueSize-option).
Is there anyway to store the logs on the local disk and forward it the Indexer, as soon as he is available again?
Thanks for your response.