Hey Voltaire,
I'm a bit of a splunk Noob, but I've used NG for other Log Management systems. Have you looked into spoofing the source of the original sender? Its a feature called IP spoofing, where the NG server forwards the logs on via Syslog [NG/TCP] using the original SRC IP of the originating server.
So references here:
https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006695.html
http://www.balabit.com/network-security/syslog-ng/comparing/detailed
This way, Splunk will see the originating server using the original IP address of the source, not the forwarder.
Hope this helps!
Kyle
... View more