If you forward from the original server to your logging server and your SIEM server, you'll preserve host.
I Am Trying to Configure a Central Syslog server which will collect all the logs from client and forward it to SIEM Machine.
Central log server will act as a Relay server transparent to SIEM
And In the SIEM it would display client name instead of Central rsyslog server name
I understood that was what you wanted to do. My question was, why forward from the central logging server to SIEM? Unless there is processing done to the logs before they are forwarded, there is no benefit to sending them to the central logging server first then to SIEM, barring some network connectivity / trust problem.
The rules in my first reply will hopefully forward while preserving the hostname, however if you can simply forward to each host from the original server you're eliminating the need to preserve hostname, the proper hostname will show as the source on each target.