Agentless Windows event log collection instead of using Elastic Agent?

[innovate-support]

I've been using the Elastic Agent with success, but I'm now working in a new client's network who does not wish to install an Agent on their hosts. Is there an 'agentless' method of Windows log collection that SO works with? Ideally this would be done by having ForwardSensors do the polling of the Windows hosts and forward that back to the SearchManager.

[defensivedepth]

One common way to handle this would be to use Windows Event Forwarding (WEF) to consolidate all the relevant eventlogs to one Windows system, then put the agent on that system only.

[novaksam]

My itch with @defensivedepth 's implied approach is that it's not compatible (or at least automaintainable) with multiple logs. We utilize https://github.com/palantir/windows-event-forwarding where different logs are forwarded to different log files on the WEF server, and that requires having an integration per log-file/endpoint (WEC-Authentication, WEC-Account-Management, etc) in addition to ingest pipeline for the 'custom' Windows event log integration to utilize the elastic maintained parsers.

And oddly, the Elastic 'forwarded events' pipeline does not appear to support Applocker redirection/pipeline, so I accounted for that in my custom pipeline below, which I use for the scenario described above. Applocker events go through the applocker pipelines, and the rest are handled by the normal forwarded pipeline, but any time fleet gets upgraded, I need to go in and update the versionnumbers.

[
  {
    "remove": {
      "field": "host",
      "ignore_missing": true
    }
  },
  {
    "lowercase": {
      "field": "winlog.computer_name",
      "target_field": "host.hostname"
    }
  },
  {
    "set": {
      "field": "user.name",
      "ignore_empty_value": true,
      "if": "ctx?.winlog?.event_id == \"4662\"",
      "tag": "snovak_SUN_Set",
      "copy_from": "winlog.event_data.SubjectUserName"
    }
  },
  {
    "pipeline": {
      "name": "logs-windows.forwarded-1.45.1",
      "ignore_missing_pipeline": true,
      "if": "ctx?.winlog?.event_provider != \"Microsoft-Windows-AppLocker\""
    }
  },
  {
    "pipeline": {
      "name": "logs-windows.applocker_exe_and_dll-1.45.1",
      "if": "ctx?.winlog?.channel != null && ctx?.winlog?.channel == \"Microsoft-Windows-AppLocker/EXE and DLL\""
    }
  },
  {
    "pipeline": {
      "name": "logs-windows.applocker_msi_and_script-1.45.1",
      "if": "ctx?.winlog?.channel != null && ctx?.winlog?.channel == \"Microsoft-Windows-AppLocker/MSI and Script\""
    }
  },
  {
    "pipeline": {
      "name": "logs-windows.applocker_packaged_app_execution-1.45.1",
      "if": "ctx?.winlog?.channel != null && ctx?.winlog?.channel == \"Microsoft-Windows-AppLocker/Packaged app-Execution\""
    }
  },
  {
    "pipeline": {
      "name": "logs-windows.applocker_packaged_app_deployment-1.45.1",
      "if": "ctx?.winlog?.channel != null && ctx?.winlog?.channel == \"Microsoft-Windows-AppLocker/Packaged app-Deployment\""
    }
  }