Hi, i need some help with the Active Directory APP installation because i cannot get any Failed Logon Data within the APP.

i am using the Trial Version of Splunk
- we have 1 Unix Indexer
- we have 1 Windows 2008 R2 Domaincontroller (Universal Client).

I installed on the Indexer:
Active Directory APP
(deployeed to the Domaincontroller TA-DomainController-NT6)
(deployeed to the Domaincontroller TA-DNSServer-NT6)
SA-ldapsearch and configured it, it works fine
Splunk Ad-on for Windows
(deployeed it to the Domaincontroller)
Sideview

On the Domaincontroller i installed:
Universal Forwarder
deployeed the TA-Domaincontroller-NT6 and DNSServer-NT6 and the Add-on for Windows

Now my question, the documentation says that when installing the Universal Forwarder on the domaincontroler "Do not enable any of the inputs during the installation". So i left on the last installation page all unchecked (no eventlogs, no AD monitoring, all unchecked). Is this right ? Bedause when i do that i cannot get any Faled Logon Data within the Active Directory APP. The ldap stuff is working fine, so i can see the green light and domain names and servernames within the Active Directory APP. What i am doing wrong ? Is it right that i do not need any Eventlogs separately configured at the Universal Forwarder to have those Failed logon Data ?

Thanks and best regards

Dave