Hi,
I need to import the security and application logs of many windows servers to splunk, but for security reasons I cannot install a splunk universal forwarder instance, I read on the splunk documentation that it is not recommended to use wmi to import the logs .. .
What do you recommend?
thanks!
Start by telling your Security people that you'll be using Splunk to monitor WinEventLog:Security, which will *enhance* the security of those servers. They probably won't care, but at least then you'll know what hypocrites they are.
Another possibility is to forward the Windows events to another server that can run a UF. See https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-... for more about event forwarding.
Still another possibility that I've never seen done is to forward the Windows events in HTTP protocol directly to a HEC input. See the same link above.