Thanks much for the step-by-step. I guess we may not really know what the heck this second server is. It exists, it has a univ.forwarder installed and is sending logs like the other 200 servers that I found in the forwarder management as well as the _internal index.
I'm being told that it took the spot of an old RSA Envision server and is storing syslogs without Splunk touching the log format. I found an old instruction that there is a directory on that server that Splunk was told to monitor. This might be outdated? It seem to me all the servers in our environment is sending directly to Splunk since a) they are found in forwarder management, b) are listening 'splunk:9997' on servers, and c) I haven't had to do anything yet on this mystery syslog server. Does this sound about right?
... View more