Rotating log files is a good idea in general - it's easier to maintain and manage disk space if you have your logs divided into separate files. There's one caveat though - if you have too many of the files splunk can take significant time to catch-up with their state on forwarder restart. So having files rotated daily is a reasonable compromise. Anyway, if you don't need storing logs for other purposes on the syslog server, you can consider sending the logs by rsyslog to HEC input instead of writing them down and ingest with UF. It gives you some additional possiibilities like easy adjusting metadata.
... View more