We have a Kiwi syslog relay set up in our environment. I've been tasked with evaluating and integrating SIEM suites in this environment and have found that the syslog messages coming from our Kiwi instance are malformed when we turn on "Retain the original source address of the message".
What happens is that Kiwi injects "Original Address=..." into the beginning of the message instead of injecting the DATE and HOSTID portions as other relays do.
In LEM, this means that the events are showing up as if they came from the Kiwi server instead of the device they originated from and are not properly recognized as coming from an ASA, router, etc. Is this something that can be corrected in LEM or would I need to engage support for Kiwi on this?