Instead of ingesting logs from all our individual UCS Manager instances, can I ingest just from UCS Central, which acts as an alert aggregator anyway for UCS? This would simplify the setup and means when we add a new UCS we wouldn't have to add it to Splunk, only to UCS Central.
According to Splunk support, the add-on does not currently support UCS Central, only UCS Manager.
yes, you need to install addon on heavy forwarder and point to UCS central with a valid credentials.