These:
_audit _blocksignature _internal _thefishbucket history main summary
are default indexes and are used for many things Splunk specific. main is where it dumps things by default, _internal is Splunk's index for Splunk, so on, so forth, etc. Don't worry about them, they are either necessary or harmless. They will not take up any space unless Splunk is writing events them to and if Splunk is writing events to them, you should be messing with them anyway. I would also recommend creating some other source/sourcetype specific indexes for the different types of logs you have coming in.
On your Linux server, unless it is your intermediate forwarder, you should run a Universal Forwarder there as well. You can do one-off data routing from your Indexer, link below. From Splunk to Splunk, you do not need to do syslog out. Just let the forwarders do all the work.
Why would you keep a second copy of your syslog events? Splunk does a wonderful job of keeping all the events from your entire network in their original event format and then compressing them down to save ample amounts of disk space; erego, no need to keep a second copy.
Router and Filter Data
... View more