Create a normal data source for your syslog server except enable Syslog-ng relay. Then add the rest of the data sources normally. That's it.
So long as either the hostname or IP is in the syslog header and matches your data source configuration it will figure it out and route the logs to the correct data sources.
Would it be possible to do the same without having to create child/client datasources and keep the same parsing (source IP, destination IP, host) ?
The reason why I am asking this is typically when you are using agentless/automated event collection wiht WEF or syslog you probably do not want to bother much with creating thousands of datasources in the SIEM and maintain them over time.
Also how can you manage such when you have devices such as laptops which are changing IP address all the time ?
Thank you in advance
Yes, this is possible. The key to parsing different device types under one data source is to enable the parsing rules for each device type in the Policy Editor.
Also, you can configure a pool of IP addresses in the Receiver properties under Receiver Configuration | Interfaces | Communications.