The index-time filed extraction transform is defined $SPLUNK_HOME/etc/system/default/transforms.conf.
The easiest way to prevent that extraction from happening is to suppress the call of the transform by populating the $SPLUNK_HOME/etc/system/local/props.conf file in the following way :
This will result in the following effective configuration stanza for props.conf, which shows we have overwritten the TRANSFORMS used for the "syslog" sourcetype :
# $SPLUNK_HOME/bin/splunk cmd btool props list syslog --debug
system BREAK_ONLY_BEFORE =
system BREAK_ONLY_BEFORE_DATE = True
system CHARSET = UTF-8
system DATETIME_CONFIG = /etc/datetime.xml
system TIME_FORMAT = %b %d %H:%M:%S
system TRANSFORMS =
system TRUNCATE = 10000
system maxDist = 3
system pulldown_type = true
After a restart of Splunk, the indexer will use the source ip/hostname of the forwarder that sent that data to populate the "host" field.