Hi All, I am trying to collect windows logs from some 2k endpoints. A few questions if anyone has experience with it. • Would it be better to use Splunk forwarder or Fleet OSquery - Asking this as I am concerned about performance and CPU utilization by putting one more agent on hosts (want to use OSquery and not use Splunk). • Would Splunk Apps work if I choose OSQuery

Splunk Forwarder is a pretty lightweight agent and should not use too many resources. Fleet doesn't really do log collection (right now anyway they have a version of that in the works however) so even if you sent the OSQuery logs to Fleet, the Splunk forwarder would have to be installed where you have Fleet running

I would strongly recommend looking at using WEF for a deployment this big: https://github.com/palantir/windows-event-forwarding

in my experience, using WEF with osquery in the WEC servers have not given me good results, as on 200/300 EPS osquery does not seem to be able to keep up. Have you ever made it work lets say with 1000 EPS ?

using WEF with osquery

On the collectors? Yeah, I would put a Splunk forwarder or something purpose built for high volume logging on them, not osquery.