[syslog-ng] log server duplication

[freebsd at tango.lu]

Hello,

I have a syslogNG based siem setup with customized rules like:

options {
         use_dns(no);
         use_fqdn(no);
         check_hostname(no);
         owner(root);
         group(root);
         perm(0640);
         dir_owner(root);
         dir_group(root);
         dir_perm(0750);
         create_dirs(yes);
         normalize_hostnames(yes);
         keep_hostname(yes);
         # disable stats
         stats_freq(0);
};



destination d_net_auth {
file("/var/log/corporate/$HOST_FROM/auth.log"); };
...

These settings will not do dns resolution will result that when hosts 
sending their logs into this SIEM directories will be created by their 
IP addresses where the logs go.

I would like to replicate this server on a second location without using 
brute methods like rsyncing the whole directory structure daily. I have 
configured syslogng to keep forwarding the logs to a remote destination 
which works fine however I can't select the messages based on the same 
criteria on the new log server because if I use the same config 
everything will originate from the IP for logserver 1.  I need IP based 
directories on the second loghost as well, everything to be identical.

I'm using syslogng 3.12.

Is there a workaround for this?

Thanks