What's the best approach to receive logs from DC's when user login, logout or type wrong pass ?
Preferably without agent.
Is there a way to get info who, when, and where ?
From the Active Directory Domain controller?
Either use event log monitoring, or use the AppInsight for Active Directory. Both included with SAM and Observability Self-hosted
You'd first have to enable the audit policies in event viewer on the DC to make sure that events are created for login success/failure, and audit credential validation for failure. Then you'd get events in Event Viewer that correspond to that. You could see them there, or if you're sending logs from the DC, you could process those logs there and see them also. But, most of the work would be done on the DC's…
event are in DC's. We used Windows event forwarding and collector but there is a lot of noise collected and reading data is not easy. We're looking a way to use solarwinds to get this info from DC's.
At that point you're just using SW as a SIEM, if it was a low # of logging entries, you might find the built-in logging to be sufficient, but I wouldn't want to do DC's without their SEIM product. Security Event Manager I think? But, you could just as easily use any other SIEM, like Splunk or whatever.