No, you can filter your syslog events on Indexers (before indexing) or Heavy Forwarders not on Universal Forwarders!
Filtering on Indexers doesn't consume license because filtering is an action before indexing and license is calculated only on indexed logs not on received logs.
About Heavy Forwarders for syslogs, if you have a small architecture, you can use Indexers to receive syslogs and filter them before indexing.
If instead you have a large architecture and you want to separate syslog receiving from indexing you can add one (two with a Load Balancer is better) Heavy Forwarder (not Universal Forwarder!) that it's enabled to receive syslogs and filter them before sending to indexers.
Ciao.
Giuseppe
... View more