Hello, I have some windows systems that I'm trying to send logs from via a universal forwarder, to a heavy forwarder. However, I am getting an error on the heavy forwarder:

WARN  IndexerService - Received event for unconfigured/disabled/deleted index=testwineventlog with source="source::tcp:5513" host="host::*hostname*" sourcetype="sourcetype::tcp-raw".  So far received events from 1 missing index(es).

On the universal forwarder, I have the inputs.conf configured:

[WinEventLog://Application] disabled = 0 
interval = 60 
evt_resolve_ad_obj = 0 
evt_dc_name =  
evt_dns_name = 
index = testwineventlog

[WinEventLog://System] disabled = 0
interval = 60 
evt_resolve_ad_obj = 0
evt_dc_name =  
evt_dns_name =  
index = testwineventlog

[WinEventLog://Security] disabled = 0
interval = 60 
evt_resolve_ad_obj = 0
evt_dc_name =  
evt_dns_name = 
whitelist = 4624-4626,4634,4647-4649,4672-4674
index = testwineventlog

My outputs.conf file on the universal forwarder is:

[tcpout:hq] 
server = *heavy forwarder hostname*:5513

I don't have indexing enabled on the heavy forwarder (no entry for it, it should default to disabled right?)

[default] host=*hostname* 
[tcp:5514]
connection_host=dns 
sourcetype=syslog
persistentQueueSize=1GB
index=hq
[tcp:5513] 
connection_host=dns
persistentQueueSize=1GB
index=testwineventlog

Also, why am I seeing sourcetype raw? Doesn't the wineventlog input set that sourcetype on the universal forwarder? The heavy forwarder doesn't recognize it?