I resolved this and posted about it here:
Auditd ingest pipeline with forwarded logs - Elastic Stack / Beats - Discuss the Elastic Stack
For syslogs and authlogs will not need the Digest processor but basically a processor in the individual module runs first. There check to see the original log file path and if not the central log server then add the forwarded tag. Also copied the fields host.hostname to host.name so both are populated correctly