Hello,
While you can forward syslog directly to an indexer, best practice is to forward to a syslog collector which then would write the log locally for a retention period (usually 1-7 days). Then you would have a forwarder monitor those log files and send out. This helps in cases where you need to restart the indexers and not drop UDP. Additionally this helps with resources and load balancing.
As for why you are not getting logs CURRENTLY via this setup:
We use 9997 (historically) for Splunk to Splunk data transmission. If you are setting up straight UDP syslog you are going to want to make a new UDP listener under http://localhost:8000/en-US/manager/launcher/data/inputs/udp. Assign a sourcetype, index, and port. See https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Monitornetworkports .
Don't forget to open local firewalls on the host.
... View more