I'm having a good time trying to configure Splunk for Active Directory on a universal forwarder using the remote data collection option. What groups does the user need to be added to in order to get this option to work? I have tried adding them to everything and I keep getting an error. Is it possible to use the the local option? I'm also having trouble enabling the WinEventLogs using the Windows TA inputs.conf file. They appear to be enabled but I'm not receiving any events. Where is the correct place to enable those events?
I have a Splunk indexer running on a Linux and one Domain Controller.
Thanks