I have SEP server sending logs to syslog server. Does the Splunk Add on for SEP work?
It should work as far as you make sure the sourcetypes are the same for the specific files in
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_symantec-ep\default\inputs.conf file
On your SysLog server You may need to write logs to separate files based on keywords in order to then ingest them with different sourcetypes.