I already took a look at How to override "device.ip" meta with the right one?
We're using TCP Syslog for security and reglamentory reasons, we can't spoof the source ip.
We're using Balabit log forwarders to forward a huge quantity of logs into our VLC's. "Device.ip" is getting populated with the IP's of the log forwarders which is causing a lot of problems..
Has anybody found a solution for this ?