SEM Log Forwarding

I'm being asked if events coming to SEM can be forwarded to Splunk. It seems Log Forwarding may accomplish that need. It might be a small subset of events, specifically from a Linux Auditd connector on a few servers.

When I look at our SEM settings for log forwarding, the option displays the message:

Log forwarding can't be enabled. If you want to enable it, configure LEM to store original log messages (raw logs).

It seems that at a minimum I'd have to run configurerawlogs (requiring a restart of SEM) and then start the Raw logs service. Since I only have a production appliance, I'm treading very carefully here.

The Admin guide doesn't offer a whole lot of guidance with respect to what that entails. Is there any more documentation on this functionality? What impact might that have on the SEM appliance (storage requirements, CPU/Memory/etc.)? Would anything change with how events are currently being managed in SEM?

I realize if/when forwarding is enabled, they'd still have Splunk work to do in order to process the events where they are forwarded, but I'm trying to understand if I'm even beginning to move down the correct path here. Any insights are appreciated. Thanks!!!