Just curious if anyone is collecting logs from off network endpoints (workstations) using a Splunk UF and how it is setup?
I am aware you can secure communication via certs and SSL but was just looking for any details on anyone's setup for ideas and guidance.
I'd say this answer can be pretty broad. There are multiple ways to collect this sort of information without UFs (for example Windows Event Forwarding for Windows endpoints) but most prefer the UF on endpoints directly. This provides distribution and less of a single point of failure or bottleneck in the collection. It also depends on scale of number of endpoints you want to collect from.
I put UFs as part of my standard build. Every system that gets built receives a UF and an add-on that points the UF to a deployment server. Depending on scale you may want multiple deployment servers. From the deployment server it gets a default set of configs like outputs to indexers, inputs to define what to collect, etc. From there you have a default baseline that is easy to add stuff to if a certain host requires additional logs to be collected.