You might consider syslog-ng collecting Windows event logs agentless, then sending them directly to splunk with the splunk_hec() destination. Handles fail-over and load-balancing to multiple HEC natively. I have heard of an organization doing ~10TB per day through a pair of log servers balancing across ~120 HECs.
Splunk is cool and all, but this provides a log "layer" to handle collection, filtering, parsing, rewriting of your logs with the flexibility to send to lots of destinations including splunk in whatever format works best for that destination. And fewer endpoint agents is not a bad thing either.
... View more