When the ATP sends syslog events, they are always preceeded with localhost.

Example:

Mar 16 07:26:20 localhost satpn_conviction_distributor: INFO - atp CEF:0|Symantec|ATPU|2.0|0|Insight|5|incidentID=0 start=1450250780282 end=1450250780282

The ATP will always preceed syslog events with localhost by design.

In order for your syslog server to organize these correctly, you will need to change the software to parse the hostname as the value after 'INFO - '. Using the above example, the hostname of that device is 'atp'.