OK thanks to a collegue I just found the answer for my own question:
Apparantely, splunk adds a syslog header for every sourcetype not specified in "syslogSourceType" within outptus.conf. So referring to the docs of outputs.conf:
syslogSourceType =
Specifies an additional rule for handling data, in addition to that
provided by the 'syslog' source type.
This string is used as a substring match against the sourcetype key. For
example, if the string is set to 'syslog', then all source types
containing the string 'syslog' will receive this special treatment.
To match a source type explicitly, use the pattern
"sourcetype::sourcetype_name".
Example: syslogSourceType = sourcetype::apache_common
Data which is 'syslog' or matches this setting is assumed to already be in
syslog format.
Data which does not match the rules has a header, optionally a timestamp
(if defined in 'timestampformat'), and a hostname added to the front of
the event. This is how Splunk causes arbitrary log data to match syslog
expectations.
Defaults to unset.
So the solution in my case was adding the common part (as it is used as a pattern) of the forwarderd sourcetypes to the syslogSourceType stanza and restart splunkd.
... View more