does getting all initial data from fw, network appliances, servers... in sc4s log collector is free as open-source rsyslog or it's counting as Splunk Enterprise license usage?
Can we use it to also forward data to Elastic/Logstash (ELK) ?
SC4S is free to use just like a Splunk forwarder. You cannot use it to forward to ELK since it uses HEC under the covers.
They pretty much confirmed what I said. SC4S itself has no cost. The storage of data is the same regardless of how it gets to Splunk.
I would add that it's likely license usage would be greater for syslog ingested as HEC (being json) vs ingested as old school text log files.
In that sense, SC4S would likely cause greater license usage than syslog, though you would save local disk capacity from having to store files until ingested. Just compare a text log file to it's json equivalent.
SC4S may cache data temporarily if it can't reach any indexers. Splunk does not charge for that.
Any data sent by SC4S to your indexers that is written to an index will consume ingestion license.
In both respects, SC4S is no different from a Universal Forwarder.
So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?
That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to.
The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration
the meaning is: if you index logs from SC4S you consume license, if you use it to directly send data to another platform without indexing them on Splunk it's free.
Also because it's composed by a syslog-ng server and a Splunk Universal Forwarder.
But the question should be: why should you use it outside Splunk?
you could use the rsyslog server to write syslogs on disk and then the mechanism in the other platform (as Universal Forwarder in Splunk) to send data to it!