My configuration is as follows:
WIndows Machine with a logging agent (using SNARE as unable to use SPLUNK UF due to other requirements) ==> Logs sent to a CentOS virtual machine with SPLUNK Universal forwarder on it ==> CentOS UF transmits logs to SPLUNK Enterprise
This configuration works and I get the logs I need. In it's current state it will do it's job but I am thinking when I scale this whether or not the SPLUNK universal forwarder on the CentOS machine is capable of handling the log throughput (moving from 1 machine to say 250). The intent is to simply use the CentOS machine and its SPLUNK UF to push this up to SPLUNK Enterprise. I don't care about log retention on the CentOS machine.
Some additional info the logs are being streamed across so the only time the data gets to rest is when it gets to SPLUNK Enterprise.
In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.
You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).