I have a RHEL5 instance running  Universal Forwarder 7.0.3, currently sending logs to Splunk Enterprise. We are in the process of migration to Splunk Cloud. Splunk Cloud doesn't accept <TLS 1.2 and I can't use HEC from the host because the TLS version is 1.0. 
As part of the solution, I came up with using an intermediate forwarder - this can forward the logs however, what I am getting is all hex characters. 
Something like this:
\x00\x8F
\x00\x00\x8Bo\xF5\x86\x84᜝h\xFCt5\xCB4T^\x9B\xBC\xE3c\xE6i\xD3\xA5\xCE/\x00\x00 \xC0,\xC00\xC0+\xC0/\xC0$\xC0(\xC0#\xC0'\x00\x9D\x00\x9C\x00<\xC0.\xC0-\xC0&\xC0%\x00\xFF
\x00\x00A\x00\x00\x00
\x00

At some point, I also saw "--splunk-cooked-mode-v3--" in the logs. 

The inputs file of the for the intermediate forwarder is this:

[splunktcp://<Source IP>:<Port>]
index = <my index>
disabled = false

The output is just the standard HEC. 

The version of the universal forwarder that I am using is 9.0.3

The universal forwarder version of the source cannot be updated to the latest one or any more than that since it is RHEL5. 

How should I be able to see clean data and not hex ones?