Splunk has inside the function of syslog server and a dedicated app to do this: Splunk Connect for Syslog (https://splunkbase.splunk.com/app/4740/) and it isn't requested programming knowledge but a little Splunk knowledge.
To do this, at first you have to define if you want HA or not:
if yes you have to use two Heavy Forwarders and a Load Balancer,
if not, you need only one Load Balancer.
this is important because, as you know, you have to take syslogs when they arrive otherwise they are lost, so you need a system with two servers so at least there's always one of them active, also during failure or maintenence.
Anyway, the steps are the following (not HA):
make a list of your sources, identifying:
available protocol (TCP/UDP)
configurable ports (default 514, some appliances can set a different outport sone other cannot),
open the firewall routes between syslog sources and Heavy Forwarder,
install a server: also virtual, possibly Linux, with the normal requirements for Splunk,
install Splunk Enterprise: an heavy Forwarder is a Splunk instance where logs are forwarded to other Indexers,
configure HF to forward logs to indexers [Settings -- Forwardering and Receiving -- Forward Data]:
Forwarding default: Yes
Configure Forwarding: insert the addresses of your indexers,
install Splunk Connect for Syslog,
in Connect for Syslog configure Inputs to ingest the logs from the listed syslog sources following the instructions in the App,
configure your syslog sources to send logs to the HF address using the configured port and protocol,
if you can configure the port in your syslog sources, use a different port for each kind of source (e.g. all Fortinet Firewalls on 515, all proxies on 516, etc...), otherwise leave 514 on all the sources.
Check the ingestion in Splunk running a simple search index=syslog_index (the index you configured in inputs.
If you want HA, it's only different the first part because you have to configure two HFs and the Load Balancer to distribute load between HFs, then you have to use the LB address as destination from your syslog sources.
if you search on Google, you can find a lot of documentation and videos about this, e.g.:
Hey, I know barely little on programming but we have four syslog servers which accept logs and forward to Splunk.
How we do it, we have a server we designate as a "syslog server" with a universal forwarder on it.
In the /etc/rsyslog.d/external.conf we have rulesets and inputs configured for the types of servers we have.
Since you will only forward logs for routers, I doubt yours would be complicated 🙂
After configuring your syslog, then you can configure the inputs.conf to monitor that directory.
The free version of Splunk should be more than enough to monitor your router's logs. So you shouldn't have to install a universal forwarder on a separate machine, and then forward that to your Splunk server.
Hope this helps, let me know if you need a little more guidance.