Hello @DanAlexander, In a Splunk environment, logs from Active Directory (AD) can be collected using various methods, including both agent-based and agentless approaches. Let's explore both options:

1. Agent-Based Approach: With the agent-based approach, you would install a Splunk Universal Forwarder (a lightweight data collection agent) on the AD domain controller machine(s). The Universal Forwarder is responsible for gathering logs from the specified sources on the machine and forwarding them to the Splunk indexer for indexing and storage.

The advantage of using the Universal Forwarder is that it allows you to filter and select the specific logs you want to collect from the AD DC machine(s), reducing unnecessary data transfer and storage.

2. Agentless Approach: In some cases, you can collect AD logs without directly installing an agent on the domain controller. This is achieved by using protocols such as syslog or Windows Event Forwarding (WEF). Here's how it works:

- Syslog: If your AD DC machine supports sending logs to a syslog server (e.g., using the syslog protocol), you can configure it to send relevant log data to a Splunk syslog server. The Splunk syslog server can then index and store these logs for analysis.

- Windows Event Forwarding (WEF): This is a built-in Windows feature that allows you to forward specific Windows event logs (e.g., security logs) from the AD DC to a central event collector. Splunk can act as the event collector, and you can configure the AD DC to forward the desired logs to your Splunk instance.

Both approaches are valid, and the choice between them depends on your organization's requirements, security policies, and technical constraints. If you are using a Splunk infrastructure, it is common to utilize the Universal Forwarder as it provides more control over log collection and allows filtering on the source machine before forwarding the data to Splunk.

Remember that whatever method you use, it is essential to ensure proper permissions and security considerations when collecting logs from sensitive systems like domain controllers.

Usually, the agent approach is preferable - where you can have an AD tree and install UF on the top to ingest the events. Also, you can provide specific DN/DC etc in the input configurations to better filter events.

Please hit Karma, if this helps!