I what we have is a two step process. I would create a central rsyslog server that can coalesce all your routers and other devices logs via syslog. Then, on that central syslog/syslog-ng server, run the splunk forwarder, configure it to tail the appropriate syslog file or files you
And Splunk has to be restarted essentially anytime a configuration file is modigied, or an app is installed. Secondly, Splunk would have to be running as root to accept traffic on ports lower than 1024 and this is against best practice. It also violates many companies security policies