Can someone suggest what is the best practice to integrate Citrix mcs to Splunk? Our case is, we can't install splunk universal forwarder on the citrix servers because the server is frequently rebooting, once rebooted, the server will start to its original state meaning all installed app, configuration changes will be removed (just like deep freeze). Thanks.
Option 2 - several things can be collected remotely. For instance, you can forward Windows events to a different server that is not provisioned via MCS. Then, run the forwarder there. This option is somewhat limited depending on what you want to do. Most installations I've seen using PVS or MCS go with Option 1.