1) OK, so i'm ruling out using the Universal forwarders.
2) The heavy forwarder does forward to the indexer. So you're saying that the props.conf and the transforms.conf on the indexer will filter and route the traffic from the heavy forwarder, so i only need those config files on the indexer, correct?
3) To be clear, i have the indexer listening on UPD:514 and devices (VMware hosts and cisco networking equipment)pointed to the splunk indexer as their syslog server. But for remote devices i have setup a Heavy forwarder to capture syslog traffic and forward to indexer (receiver).
... View more