If the universal forwarder was eating over 6GB+ of RAM, it was probably mis-configured. Also, the 6.1 UF collects Windows data a lot more efficiently, so you might want to look again at some future point.
However, if you don't want to use the UF on a windows box, then there are a few choices:
Install the UF on a single Windows box somewhere and use it to do remote data collection. This doesn't scale well, so it works best only in limited situations. Also, you will still have one UF on a Windows box, and since that UF will be doing a lot more work, it will put some load on that Windows box.
Figure out some other way to collect windows data. Snare is a syslog client for Windows, so that might be an option for you. If you go with a "syslog on Windows" option, then it should work a lot like your syslog on Linux.
Set up a log file repository on a SMB share somewhere and have the Windows servers write to it. This has potential performance problems as well, but not due to Splunk. It can be a bottleneck and/or a security risk depending on how you set up the share.
... View more