Best practice for ingesting syslog data is to send it to a syslog/syslog-ng server, which writes to directories/files and have a universal forwarder monitor those files. Only this approach allows you to assign proper sourctypes to your log data. "syslog" is not a very meaningful sourcetype, when users want to try and find logs from firewalls, IPSs, switches, etc.
Having said that: You can run a search to identify which of your HFs is sending which sourcetype and then check your configuration on the relevant server.
You can also run
./splunk cmd btool inputs list --debug
to list out all configuration settings for inputs.conf and it will tell you which configuration file it was taken from.