Thanks, Splunk agent is the only thing running on a few Domain Controllers. Ultimately would like to put on all remaining DC but the pushback from the team is why? The team thinks that running splunk agent on the PDC is enough. Other than the reason of what if you move PDC to another it will log uninterrupted, i find myself having a hard time justifying why Splunk agent should be on all.
As i understand, Most events are replicated across all Domain Controllers for Authentication purposes of a domain but security events as i understand dont. I am in favor of adding Splunk agent more so because of security events in this day and age.
Appreciate your info.
Thanks
... View more