Yeah that's where I snipped the text in bold above. I had read that before albeit not as carefully as I should have.
I was more concerned on how to get the data to my indexer after the app was installed - didn't even think about a forwarder when I asked the question (my bad) since this is our first Linux box that will forward data (we're a Windows shop) 😉 The answer I think using the forwarder with syslog the other option as you suggest.
Did you click on the Documentation tab? it has details on how to install and configure the app.
To get your data you could configure syslog to output to a listening port on Splunk and just define a tcp input, but yeah the better and more secure/reliable way would be to just install a forwarder and let it handle everything 🙂 There is a contact link on the app so if you do get stuck it might be worth firing a message off.
I think part of it is I'm still learning Security Onion so the Bro piece didn't stand out but more importantly is this is the first Linux machine I'll be forwarding data from [to Windows based Splunk instances] so it wasn't immediately apparent I should just be using the Linux universal forwarder like I would use on any other Windows box (which I think is the answer to my question).
I had also read the link you posted but it seems to be more of an overview of the app then a configuration guide.
Yeah I read the notes a couple times but I seemed to have totally blew past the this part:
"Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked."