I am unable to find the indexes.conf under /opt/splunk/etc/system/local I wonder if I need to need to create one? if that doesn't exist?

Also, on my syslog my current inputs.conf looks like below with the default installation.

[default]
host = SP-FWDR

Do I need to reference each index inside the inputs.conf whatever I need to be in a separate indexes? how about the rest of the events will it go to the main?

No, do not put your stuff in /opt/splunk/etc/system/local. Create your own app on your indexers in /opt/splunk/etc/apps/YourCompany_all_indexes/default/indexes.conf. Yes, you reference that index name inside of inputs.conf on your syslog server. If you do not specify any index name, then by default, your events will go to main. If you specify and index name/value that does not exist, then the events will go nowhere and get dropped (logging Received event for unconfigured/disabled/deleted in index=_internal ), unless you have defined a lastChanceIndex on your indexers.

Sorry for jumping in @woodcock - we put our indexes under $SPLUNK_HOME/etc/apps/YourCompany_all_indexes/local/indexes.conf (local versus your recommendation of default).

In the past, on an older platform, we placed the indexes under - $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf

So, we see three variations -

1) $SPLUNK_HOME/etc/apps/YourCompany_all_indexes/default/indexes.conf
2) $SPLUNK_HOME/etc/apps/YourCompany_all_indexes/local/indexes.conf
3) $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf

Why is #1 the preferred way?

The person who authors the app should deploy his configurations in default. That way if the person who is using the app needs to updated/override/configure the settings to suit his situation, he can deploy his configurations in local to override the author's defaults. Splunk PS has the bad habit of deploying their configurations in custom_app/local because it suits them better to have configurations that the user cannot override because they prefer things to stay the way that they think they should be. I think that this is a mistake. In any case EVERYBODY agrees that nothing should be deployed in $SPLUNK_HOME/etc/system/.

Much appreciated @woodcock , what about the $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf location ?

That directory has the highest precedence of all, even higher than $SPLUNK_HOME/etc/system/local/, so is for emergencies only.

oh oh wow - much appreciated @woodcock !!!

If you deploy indexes.conf via the master at /opt/splunk/etc/master-apps/_cluster/local/indexes.conf then your indexes.conf on the peer nodes (indexers) will reside at /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf, not at /etc/system/local.

In a clustered environment, I'm not a fan of deploying indexes.conf any other way, though it can be done (e.g. in a custom app).
If that app gets deleted, or you inadvertently deploy with the app directory missing, or wrong permissions, etc. then you're going to have problems.

The /opt/splunk/etc/master-apps/_cluster/local/ is a special directory intended just for this purpose, and is documented as such:
https://docs.splunk.com/Documentation/Splunk/7.0.4/Indexer/Updatepeerconfigurations