Hi Yaichael,
Maybe this can help:
To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:
You want to index local log file from a server that is not the Splunk Server
If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers
A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.
Hope this can helps you
... View more