I have some questions around the configuration of Local Event Log collection. In reviewing our existing configuration I noticed that Event Log Collection for our Windows Splunk Server has been configured via "Settings=>Data Input=>Remote event log collecitons using "localhost" " versus "Settings=>Data Input=>Local event log collections".
My first question would be are there are any differences (positive or negative) between these two approaches? Since there are no noticeable problems, I am assuming no, but did want to get your thoughts on this. Secondly, Does local collection configured as either "Local" or "Remote" "Local inputs" methods both use WMI to obtain the logs?
Lastly, is there is a local monitoring alternative to using WMI for Security Log Collection on a heavily audited Splunk Server? Alternatively, does local monitoring with WMI (with AD Account versus LocalSystem) actually contribute to File and Object Access?