On what instances do I install the RFC5424 Syslog add-on in a distributed search head clustering environment?

I've been spinning my wheels for the past couple days trying to figure this out... I've read documentation and checked out Splunk Answers and things that should be working don't seem to be working. I am trying to install this RFC5424 Syslog add-on to process syslog data being handled by a Kiwi Syslog server with a Universal Forwarder installed: https://splunkbase.splunk.com/app/978/ The reason I'm installing it is because the default sourcetype for "syslog" in Splunk seems to be RFC3164, but I need RFC5424 parsing/indexing. Our environment looks like this: Universal Forwarder > Heavy Forwarder > Indexer We have a master indexer and several peer indexers. We also have a search head cluster of three search heads. I put the add-on on a deployment server and pushed it out to the universal forwarders. The add-on is installed and is pulling in the data configured in the inputs.conf file. I searched the data being indexed in Splunk and saw that it was there, but that the fields weren't properly selected. I then went on every server from the universal forwarder to the search heads, dropping the add-on in the C:\Splunk\etc\apps folder and restarting the service. No dice. I installed the add-on through our deploy server and pushed it out to the search heads. Restarted. Still didn't index properly. Spent some time reading this doc: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F And went to the heavy forwarders and indexers and manually loaded all of the add-on's .conf files (including lookup and metadata information) to this folder (this root folder, I put all the .conf files in their appropriate subdirectories): `C:\Splunk\etc\system` Restarted the services and still nothing... when I look at the data in Splunk, this is what I'm seeing... but it's not broken down the way syslog data should be with host, priority, etc, etc. Am I missing something? See pic attached. I guess what I'm assuming is supposed to happen is these selected fields will be more representative of the data... like priority, hostname, message text, etc.