Hi there,
Would someone tell me if I can disable atime update for logs monitored by a universal forwarder?
Even though atime is not being updated, can the forwarder correctly monitor and splunk the logs?
Thanks
Splunk uses CRC for monitoring files: http://docs.splunk.com/Documentation/Splunk/6.0.5/Data/Howlogfilerotationishandled
so disabling atime should not cause any problems.
Not quite a complete and correct answer by mreynov. Splunk uses a lot of different things besides CRC for file monitoring (atime is not one of them). For example, it uses mtime and size to determine if it has indexed a file and for the ignoreOlderThan option.
In general there is no need for atime on most systems unless you need to know if a file was accessed at a specific time. That's why most modern file systems in Linux use relatime as the default mounting option (so your atime is probably already not being updated more than once a day).
So go ahead and mount as noatime if you need zero updates, or relatime if you want sane updates (when file is changed or once a day).
Splunk uses CRC for monitoring files: http://docs.splunk.com/Documentation/Splunk/6.0.5/Data/Howlogfilerotationishandled
so disabling atime should not cause any problems.