We use a forwarder to collect al out syslog data from the syslog server. We opted to keep the syslog server and use a UF to we could work on splunk, i.e. restart and not worry about loosing data during the restart. The UF will cache the data until it can send it to the indexer.
The HF can do some processing on the data then send it to the indexer. So yes it could help, I've never had a reason to do that. I'd suggest you look at the SOS and deployment apps to help monitor things.
https://apps.splunk.com/app/748/
https://apps.splunk.com/app/1294/
The other reason I like not going directly to splunk is if there is an issue that affects splunk my logs still are in flat files on the server.
... View more