Hello. I am attempting to configure using cygwin, a syslog-ng relay on a Windows box. The version of syslog-ng (3.2.5-1) does not come compiled with the spoof-source option, and it is unlikely I will be able to compile it either inside this environment. Is there a configuration of sorts that will allow to preserve the client IP/hostname without having the spoof-source option available?

i.e.
network device -> cygwin'd syslog-ng relay -> a loghost syslog-ng that does have spoof-source enabled -> splunk

The goal being here to have syslog messages from the network device (or really anything I send to the relay) show up in splunk as having the host be that device itself, and NOT the relay.

Everything I try, be it keep_hostname(yes) or keep_hostname(no), rewrite HOST filters, etc still in Splunk the host shows up as the relay, which is what I don't want.

Am I stuck or is there more to how syslog processes the HOST field than I thought?