Auto-resposta. Parece impossível imitar o comportamento do syslogd. Depois de muitos experimentos, forneço um instantâneo atualizado de minhas pesquisas / suposições sobre as opções do syslog-ng:
options {
#####################################################################
### the flow of decisions for hostnames, syslog-ng 1.6.8:
use_dns(yes); # yes = first resolve the IP in $HOST_FROM (the message sender)
keep_hostname(no); # no = ignore $HOST embedded in the message (rare); overwrite $HOST with $HOST_FROM
# note: RFC3164 allows embedding short hostname or IP, not FQDN
use_fqdn(yes); # yes = expand everything to FQDN, including local name
# Note syslogd behaviour is incompatible: use FQDN, but strip local
# domain + strip "-s" domains + strip domains for "-l" hosts
chain_hostnames(no); # no = keep $FULLHOST same as $HOST;
# do not expand $FULLHOST into either "src@$HOST" for localhost,
# or to "$HOST/$HOST_FROM" for remote client
#long_hostnames(no); # synonym of chain_hostnames
### with default template, the resulting $FULLHOST is written to log
#####################################################################
check_hostname(yes); # invalid chars?
sync(0); # sync immediately
};
Descobri que as mensagens dos meus sistemas remotos provavelmente não possuem o nome do host incorporado, e isso faz com que o keep_hostname não tenha nenhum uso.