This leads me to believe that [input.syslog] is really designed for every server to send only its own syslog entries to its own telegraf instance. Either way, this seems like a bug to me. Telegraf should be using column 4 of the syslog entry as the host, and not just taking the hostname of the host that is streaming the data to it.
Has anyone else use a centralized syslog server and used it as the single source of data for [input.syslog]?
The host that generated the log message is saved in the hostname tag.
To give you some background, in Telegraf the host tag is used to indicate what host Telegraf is running on, not the source of the metrics. In the future, we are planning to use a tag called source to hold the hostname which the metrics are about, but this plan is still early and not added to very many plugins yet.