We have a Threatarmor appliance, it sends its logs in CEF format. I have a configured a Universal Forwarder on the same network as this appliance, (UF installed on Linux) from the Splunk ES I can query this UF and I see a number of events as follows

10-18-2019 09:02:10.955 +0100 INFO Metrics - group=tcpin_connections, x.x.x.x1:39658:9997, connectionType=cooked, sourcePort=39658, sourceHost=x.x.x.x1, sourceIp=x.x.x.x1, destPort=9997, kb=0.00, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.51, _tcp_Kprocessed=34245.94, _tcp_eps=0.00, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=bd63e13aa157, version=7.3.1, os=Linux, arch=x86_64, hostname=xxxxxxxxxx, guid=86A46F88-EA2A-4392-B3E9-E89FC9BC46C1, fwdType=uf, ssl=false, lastIndexer=x.x.x.x2:9997, ack=false

So as you can see the ES (x.x.x.x2) is picking up data from the UF (x.x.x.x1). I have configured the following .conf files on the forwarder

Inputs.conf
[monitor:///xxxxx//csv/logs]
host = xxxxx
sourcetype = threatarmor
index = threatarmor_csv

outputs.conf
[tcpout:group1]
server=x.x.x.x2:9997

[tcpout:group2]
server=x.x.x.x2:9997

So the problem is, while I can see system logs from the forwarder, I cannot see (unless im running the wrong searches) the logs from the threatarmor appliance, which should be logs in CEF format.

Please could you tell me what I am doing incorrectly here? The Threatarmor is an appliance so we are unable to install any third party software i.e. Splunk UF.