Hmm... There is a firewall between your syslog server and NPM server? Most people usually have their network management systems like this on the same subnet, or at least in the same DC.
If it is Syslog-NG and keep_hostname() is defined, but its not doing it as shown above, you might check to make sure that it was compiled with the spoof-source support turned on. I think running it with the -V option will give you that info. Been some time since I've played with it.
The problem I see is if the IP is contained in the actual body of the syslog message, there has to be a way to parse it out of the message. But, if its in the database field you mentioned, you might be right that there is a way around it...
Try looking in:
C:\ProgramData\SolarWinds\Logs\Orion\NCM\RTN\NCMRtnForwarder.log
to see if you find anything that might give a clue as to what is happening.
Have you tried using "GetUTCDate()"? Not sure whether you're getting the correct time or not?
I'd also look at maybe changing it so instead of executing NCM.RTNForwarder.exe that maybe you do "echo" and append the output it to a file via ">>" so you can see what your actual command your executing is? Another problem is that querying SYSLOG based on datetime isn't always a great thing. You are not guaranteed to get a single message returned.