Advance Threat Protection (ATP) logs are coming in with the hostname of “localhost”, syslog-ng is not logging these logs to the correct location.