I'm a bit confused. The Architecture tells me I can add a dedicated Log Forwarder to collect (e.g.) from the DMZ.
HOWEVER: I can not find anywhere how you go about installing one.
QUESTIONS: (that I can't find answers for)
Well, you could deploy VMware Aria Operations for Logs with either Standalone or Cluster depending on the requirement. Ideally to size the deployment you may use this Sizing Estimator to quickly estimate the cluster size based on the ingestion requirements of your environment.
With regards to log forwarding, you may use the Log Forwarding feature within your vRLI appliance to forward incoming log events to a syslog or Ingestion API target. Refer below documentation:
Add a vRealize Log Insight Log Forwarding Destination (vmware.com)