Data forwarded as syslog gets always indexed

I filtered some of our Windows events before indexing. This worked perfectly.
We had the idea to send the filtered data to a remote system for archiving via syslog.

UPDATE 3

Clarification: This is what we try to accomplish:

Universal Forwarders -- in splunk format --> Filter 2 way
1. into index of Splunk Server (Indexer)
2. as syslog to --> Remote Syslog Server

Everything works find except that ALL the data that gets forwarded as syslog ALSO gets indexed and there seems to be no way to avoid this. There is no way to filter the incoming data stream an route a data stream into the indexer and another to a remote syslog server.

This is the content of the props.conf:

[source::WinEventLog...]
TRANSFORMS-filter=filterWinFw,filterEventIDs

This is the content of the transforms.conf - the old config that worked perfectly is commented out:

[filterWinFw]
REGEX = (169\.254\.|bin\\splunkd.exe)
# DEST_KEY = queue
# FORMAT = nullQueue
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogarchive

[filterEventIDs]
REGEX=EventCode=(4656|5447|5154|5145|5156|4957|4634|4663|4658|4688|4768|4769|4689)
# DEST_KEY = queue
# FORMAT = nullQueue
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogarchive

This is the outputs.conf

[syslog:syslogarchive]
indexAndForward = false
server = 10.1.1.12:1577

What happens as expected is the syslog forwarding. BUT - it still indexes these events which is not the desired result. Any ideas?

UPDATE 1

I tried to change the transforms.conf to add another format that sends the events to the nullQueue - without effect:

[filterWinFw]
REGEX = (169\.254\.|bin\\splunkd.exe)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = svsiem,send_to_null

[filterEventIDs]
REGEX=EventCode=(4656|5447|5154|5145|5156|4957|4634|4663|4658|4688|4768|4769|4689)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = svsiem,send_to_null

[send_to_null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

UPDATE 2

I even tried this in outputs.conf without success and tried to apply "selectiveIndexing":

[syslog]
index = false
indexAndForward = false

[tcpout]
index = false
indexAndForward = false

[syslog:syslogarchive]
index = false
indexAndForward = false
server = 10.1.1.12:1577

UPDATE 4

I even tried this:

Section in props.conf:

[source::WinEventLog...]
TRANSFORMS-sendsyslog=syslogWinFw,syslogEventIDs
TRANSFORMS-filter=filterWinFw,filterEventIDs
TRANSFORMS-index=winnativeindex

Section in transforms.conf:

[winnativeindex]
REGEX = .
FORMAT = win_native
DEST_KEY = _MetaData:Index

[filterWinFw]
REGEX = (169\.254\.|bin\\splunkd.exe)
DEST_KEY = queue
FORMAT = nullQueue

[filterEventIDs]
REGEX=EventCode=(4656|4658|4769|5156|5158|5447)
DEST_KEY = queue
FORMAT = nullQueue

[syslogWinFw]
REGEX = (169\.254\.|bin\\splunkd.exe)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogarchive

[syslogEventIDs]
REGEX=EventCode=(4656|4658|4769|5156|5158|5447)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogarchive

Result: 1. Filtered log gets indexed 2. No Syslog sending