Unfortunately, I don't think we can use the Solarwinds Syslog server as the primary logging server and then forwarding onto the aggregator - we have to log all connection attempts/denies from our firewalls, so the volume of syslog is huge, so whilst we could only keep 7 days worth, the poller would be kept very busy with the flood of syslog traffic.
So Solarwinds Syslog sees the message with the correct IP in the body (172.27.32.1, my router) but the "wrong" IP as the "IP ADDRESS", i.e. 172.16.75.65, our syslog-ng server.
keep_hostname(yes) is defined. Is the other way of dealing with it for the syslog-ng server to send out a syslog packet with a spoofed source IP address (of 172.27.32.1? This breaks basic network rules and our firewalls will probably bin this due to reverse path checks.