Ideally, you would install a forwarder on each of the domain controllers that you want to collect Windows Event Log information for. There is a process that describes remote log collection, but that involves creating a domain account that Splunk can run as, and then giving that domain account the permissions to read those log files across all your domain controllers. This might be more complicated than just setting up a standard inputs.conf file that you can deploy to your domain controllers for collecting log information.
... View more