Yes, it is possible to send logs from UFs to HFs, since you can setup HFs to act as receivers.
On HF you need to setup receiving as described here: Enable a receiver - Splunk Documentation
in inputs.conf (HF) - setup listening port, 9997 is default
[splunktcp://9997] disabled = 0
On UF you need to setup forwarding to the HF as described here: Configure forwarders with outputs.conf - Splunk Documentation
in outputs.conf (UF) - setup to send events to HF. You can name the groups whatever you want. You also need to change the server name / IP.
[tcpout] defaultGroup=my_HFs [tcpout:my_HFs] server=mysplunk_heavy:9997 [tcpout-server://mysplunk_heavy:9997]
Hope this helps.
as@gcusello and @smurf already told this is possible. But which one you should select UF or HF? The best practices is use an UF if possible and HF only when you haven't any other options. The main reason for this is save resources on that gateway/hub/intermediate node as UF is much smaller than HF. Also UF generates less network traffic than HF as it didn't add (so much) meta data than HF after it has processed events.
Basically only case when you should/have to use HF is if you have some modular inputs, which needs e.g. python on HF side (e.g. TA for aws, TA for m365, TA for VMWare etc.)
As @gcusello already said you should have several intermediate nodes and spread traffic from UFs to all of those. When you are using UF as hub then you probably need to add it's throughput from 256KBps to 1024 or higher. Just add this to limits.conf like
[thruput] maxKBps = 512
or higher, based on your traffic amount.
yes it's possible.
The choose to use an Universal or an Heavy Forwarder depends on the choice to parse and merge events before sending them to Indexers.
If you want to leave that all the preindexing operations to the Indexers, you can use both UF or HF as log concentrator, if you want move the load of preindexing activities from Indexers, you have to use an HF.
Anyway, I hint to use always (both with UFs or HFs) at least two machines to avoid Single Points of Failures.
in Deployment Server's [Settings -- Forwarder Management ] or in the ;Monitoring Console's [Monitor Console -- Forwarders -- Forwarders: Deployment] you have the list of all Forwarders (UFs and HFs) connected to the Deployment Server (or to the All in one Splunk Server).