There was no explination given as to why there is no intention to add the feature. The suggestion is as follows
configure the original syslog server IP address (as provided by clients) on loopback interface of all syslog servers (assuming their OS allows that - pretty much all Unix based systems do). This allows syslog servers to accept packets for that address regardless of their "real" address in the local IP subnet (which is what BIG-IP uses to get the corresponding MAC). This scheme can be further extended into a fake-anycast solution in which all syslog servers have one well known universal syslog server address configured on loopback and all devices (regardless of actual network location use it). Delivery of messages is then facilitated by BIG-IP or router in the local IP subnet which must have a route for the "universal syslog server address" via the real address of the nearest (or designated) syslog server. If the customer uses any dynamic routing protocol, the scheme can be further automated by the syslog servers injecting the "universal syslog server address" into the routing protocol which allows to avoid the need to configure static routes.
I interpret this as a number of possible solutions to syslogging in general
- Place all syslog servers on the same subnet, with 'syslog IP' on the loopback of all boxes and use clone pool to duplicate to each server via their real address
- Have multiple syslog servers in different network segments and use an anycast solution so that all systems log to their nearest syslog server.
However, neither of these solutions comes close to multiple servers in different physical and network locations each wanting to receive a copy of all syslog traffic from all systems for redundancy.
There is a build option for syslog-ng where it can relay the traffic and spoof the original source (--enable-spoof-source). I'll probably have a look at that instead.