1. Welcome to the Archaeology department 😉
2. Do you want to onboard static evt file or do you by any chance have a still running w2k/wxp instances and want to onboard "running logs"?
Static files might work with windows-based UF (but I never remember the right configuration for it - you have to search).
If you have a still operational ancient windows boxes... there are the same general options with any more modern windows but they might be more tricky to get right (at all).
a. Use an UF. But you said you don't want a UF and you might not get a sufficiently old UF which would still be compatible with modern Splunk receiving environment (the oldest UFs I worked with were 6.6 and they might have had no support for such old windows already; I doubt you can even get older forwarders, let alone making them work with Splunk 9+).
b. Query your windows from remote machine with UF by WMI - that might again be very tricky (if possible at all) with such old Windows. And for this you'd need your machines to be domain-joined.
c. Use Windows Event Forwarding. Well, this actually is not available for you as I believe this feature was introduced later - 2003 server/Vista.
d. Use any third-party tool to dump the event log and write it to a text file or send via syslog. This is the worst possible method of ingesting windows logs. Even if you ingest the data this way it will be in a completely unusual format and you'll need to put in huge amount of time to make it readable/parseable and so on.
