Roger that. First step is to get the header line from the top of the iis log file. You'll need that to tell splunk what the field names are and what to use as a delimiter.

Sigh, apparently I missed the part in the documentation where it went over the configuration steps on the receiver. As soon as I did that I started receiving the events. I followed your recommendation and removed the TCP input on port 9000. I have the forwarder and receiver configured to use the default port 9997. Thank you so much! Next I get to work with IIS advanced logging hehe, but this is a good start!

What is the default tcp port for inputs on the indexer?
You should not have to create a special input port for the iis logs.
Also, iis logs are typically not configured with the default iis sourcetype because it does not handle headers well. You will probably want to create a custom sourcetype and configuration in your props.conf and transforms.conf. There are many examples in this forum, but if you want specific help then post the header line that shows the fields.
Lastly, universal forwarders should not be sending cooked data, are you sure you installed a universal forwarder?

There is no line [splunktcp:port] in my inputs.conf

In your splunk\etc\system\local\inputs.conf what is the [splunktcp:port] port number?

Also, I see the following WARN in the logs:
TcpOutputProc - Cooked connection to ip=myserverip:9000 timed out

In the Splunk server, I have an TCP input configured on port 9000 set to Source type = iis

Anyways, after restarting the forwarder, it seems to have sent 4 messages, but it looks like garbage.

--splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

and it's definitely not the data from my IIS logs.

I reinstalled it and now it created the inputs.conf and output.confs. The inputs.conf has the following

[default]
host = MYSERVER

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

I added the log monitor lines from before.

The output.conf now looks like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = myserverip:9000

[tcpout-server://myserverip:9000]

I don't really understand the configuration as it looks redundant.

It happens, I updated the answer to make it more clear.
Both inputs and outputs need to be on the forwarder.

Now you are confusing me even more than I already am hehe. I thought configuration settings for where the data goes was done in outputs.conf, yet your recommendation was to add a setting in inputs.conf for the server?

You can use the name of the indexer, or it's IP address.
The indexing server is the server with the main Splunk instance - the forwarder sends logs to the indexing server.
You can also use the IP address of the indexing server.

I had to create the input.conf and output.conf files manually. They were not there. I do not understand what you mean by indexing server name.