In order to enable the intermediary forwarders to listen to data, you have to add a stanza to your inputs.conf
[splunktcp://9997]
Or, if you want SSL:
[splunktcp-ssl://9997]
A universal forwarder does no local indexing, so the events will be forwarded, as specified in outputs.conf, by default. You can specify which indexes should be forwarded by changing the blacklists and whitelists in outputs.conf. Have a look at system/default/outputs.conf to see what is blacklisted and whitelisted by default. Basically, everything is forwarded, except anything starting with an underscore.
Two comments in general:
If you can avoid an intermediary forwarder, you may be better off without one. For me, they have caused more problems than they have solved.
You may want to consider a heavy forwarder, depending on your needs.
... View more