In addition to what Phil said, you can also set up a syslog log/audit sink and send the logs directly to Splunk via syslog (or to an intermediate syslog server that gets indexed by splunk).
The gateway has some of the most flexible/powerful customizations for logging that I have ever seen. You can have different audit/log sinks for different services, policies, or folders of policies, by client IP, and many more filtering options. You can send different levels of logging to different sinks, for example sending warnings and above to syslog while including fine logging written to a log file.
I recommend reading through this section of the documentation to get a better idea of how this all works: