We currently use nxlog on our Windows domain controllers to forward logs one destination.
With nxlog I can forward the logs to another destination and I'd like to forward the Windows event logs to our Splunk instance in Azure. With that, can I forward the domain controller logs to an on-prem heavy forwarder and then have the heavy forwarder forward the domain controller logs to Splunk in Azure?
Basically, can the heavy forwarder function as both a receiver and forwarder?
Yes , heavy forwarder can receive and forward the data to another instance.
inputs.conf configuration is require for Heavy Forwarder receiver configuration and outputs.conf configuration is require for HFW forwarder configuration.
If you want to send subset of data to different splunk instances from Heavy Forwarder then you may require props.conf and transforms.conf as well.
One last question - is it possible to just forward the logs on without storing them on the heavy forwarder?
Yes it is possible. Generally heavy forwarder do not store any data but you need to configure outputs.conf accordingly.