Just a thought, but is there any reason you're not using a syslog collector (rsyslog / syslog-ng) then having Splunk read the log files? This would be the prefered option, you could also then route the syslog stream to both the local file system and to the external third party system you're aiming for.
You could try looking through this answer which details a successful config for third party routing via Splunk Heavy Forwarder: https://answers.splunk.com/answers/65818/forward-data-to-a-third-party-system.html
You're right that the data should default to UDP and NOT TCP.
Do the quantity of 'empty' forwarded packets match with the received syslog data?
On your props.conf, is [host::x.x.32.115] are the 'x's accurate regex? Should they be '*' with escaped '.'?
I assume you have checked your host field is an IP address?
... View more