I've tried browsing around previous topics but couldn't find anything that worked for my particular situation. I have a very simple test setup with a Universal Forwarder, a Debian 9 machine running the free edition of Splunk Enterprise, and another non-Splunk box. My goal was to simulate log forwarding from the workstation running the Universal Forwarder to the Splunk box to my non-Splunk box. I was indexing things up to 3 hours ago while troubleshooting why logs weren't being forwarded to my non-Splunk server. Eventually, I was able to get this data forwarded successfully to my non-Splunk server but then I noticed it stopped indexing on the Splunk server. No errors.

My Splunk servers outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.X.1.99:514
sendCookedData = false
indexAndForward=true
[tcpout-server://10.X.1.99:514]

My Splunk servers inputs.conf; listening on 9997:
[default]
host = splunk

My Universal Forwarders outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.X.1.181:9997
autoLB = true

My Universal Forwarders inputs.conf (SOC workstation):
[default]
host = SOC-6

Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log/auth.log
/var/log/syslog

It's supposed to be a very basic setup. Like I said, I'm receiving logs on the non-Splunk box which was the main goal but I can't leave it partial with the Indexer not indexing. If you require further information feel free to request it. Thanks