Here are sample configs from my setup (Lightweight forwarders -> Heavy forwarder -> Indexer).

My Lightweight forwarders (LWFs) are configured just like any other LWF would be configured (as in enable the lightweight forwarder app). LWF's outputs.conf. This forwards on port 9997 to the host "myHWF":

[tcpout]
defaultGroup = myHWF_9997
disabled = false

[tcpout:myHWF_9997]
server = myHWF:9997

[tcpout-server://myHWF:9997]

Then you configure the Heavyweight forwarder (HWF) to both receive and forward data (enable the forwarder app). HWF inputs.conf. This enables receiving on port 9997:

[splunktcp://9997]

HWF outputs.conf. This enables forwarding of data on port 9998. Note that I have disabled indexing at this HWF by setting indexAndForward to false. This keeps Splunk from indexing the events that are being forwarded to it by the LWFs. In addition I am encrypting this connection via SSL:

[tcpout]
defaultGroup = splunk01
indexAndForward = false


[tcpout:splunk01]
server = splunk01:9998
compressed = true

[tcpout-server://splunk01:9998]
sslCertPath = $SPLUNK_HOME\etc\auth\server.pem
sslPassword = XXXXXXXXXXXXXXXXX
sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem
sslVerifyServerCert = false

And finally at the Indexer configure your inputs.conf. Receiving on port 9998; again, with SSL settings:

[splunktcp-ssl:9998]
compressed = true

[SSL]
password = XXXXXXXXXXXXX
requireClientCert = false
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem
serverCert = $SPLUNK_HOME\etc\auth\server.pem

And that's basically it. Events from your LWF's get pooled at your HWF, which then sends them on to your Indexer.