There are a few good resources on this but I definitely recommend taking a look at a couple of Splunk .Conf sessions on the topic. If you go to https://conf.splunk.com/conf-online.html and search for FN1616 and FN123102 there are some good talks about getting syslog set up for Splunk. If you join the Splunk Community Slack channel (https://splk.it/slack) there are several channels dedicated to syslog as well.
You have the option of using a HF or UF but you want to avoid the HF if you can. The UF will be better for load balancing in a distributed environment and HF will increase resource usage and data sent across the network. If all you are doing is forwarding the data to your indexer(s) you can just use a UF. The apps/add-ons also depend on the data on syslog and whether or not you use a HF. If you use a heavy forwarder all of your parsing add-ons for the data on syslog would need to reside on the HF. Most add-ons will tell you whether or not they should be placed on a forwarder so it all depends on the kind of data you will be getting through syslog.
