From Splunk Wiki
The Splunk internal logs are no longer automatically included in events sent from a forwarder to the indexer. If you want to have the forwarder's internal logs in the _internal index on the indexer, add this stanza to the forwarder's inputs.conf:
[monitor://$SPLUNK_HOME/var/log/splunk] index = _internal _TCP_ROUTING = * _whitelist = /(audit|license_audit|metrics|splunkd|splunkd_stderr|splunkd_stdout|splunklogger)\.log$
Modify as appropriate for the path if necessary. On Windows hosts, replace '/' with '\' Windows path separators.