@gcusello wrote: Hi @Gregski11, each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer. At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers. In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!). Ciao. Giuseppe Looks like the Splunk Add-on for Windows does not collect Event Logs: The Splunk Add-on for Windows allows a Splunk software administrator to collect: CPU, disk, I/O, memory, log, configuration, and user data with data inputs. Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default. Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging. https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows
... View more