There are hundreds and hundreds of devices that point to this Syslog server, and most of them only support a single entry. Logging into them to change it is simply not an option (only about 5% are mikrotik devices)
I've started suspecting that after re-reading your original post but decided to keep my suggestion should anyone else find it useful.
Ideally i'd want a more elegant solution than port mirroring. My understanding is the only way for port mirroring to work is for me to have 2 routers at the entry point to the existing Syslog server
...
Ideally though i'd like to do all of this on the existing router if that's possible. Can I do port mirroring as well as have the dst-nat rules accomplish the same thing on just 1 router? The destination port would be down (nothing plugged into it) so would that cause the first issue? And if not, will it port mirror first and then apply firewall chain?
You can do that on a single box if you put it right in front of the original server and if the packets for the original server pass through it on L2, i.e. if you "insert the box into the cable between the original server and the rest of its subnet". The reason is that you have to use the switch to do the forking itself and you have to keep the primary path away from the CPU. Let's say you have the old server connected to ether5 and the traffic for it comes through ether4. Then, you must configure ether4 and ether5 as ports of the same bridge and make hw-offload=yes only on this bridge (if using ROS 6.41 and above), or make one of (ether4,ether5) a "slave" of the other one (if usingROS up to 6.40.x). This way, frames between ether4 and ether5 are forwarded by the switch chip alone. Next, you configure port mirroring on the switch, with Mirror Source set to ether4 and Mirror Target set to CPU. So frames which the switch would normally only forward to ether5 will be also sent to the CPU, and there the dst-nat rule can match on them and send them elsewhere, even using L3. But the CPU will also receive anything else which comes in via ether4, so your life will be much easier if everything coming in via ether4 is only for the old server so you can safely trash the copy of it you receive on the CPU except the syslog packets.
If you need that the same Mikrotik does routing for some of the syslog packets, theoretically there is a chance that you could create two bridges and connect a port of one of them to a port of another one, but I have never practically tried so the switch chip may disagree loudly. If you need to dive deeper into this idea, say so
Both sniff-pc and sniff-tzsp actions in "/ip firewall mangle" rules add extra headers to the packets which cannot be stripped by Mikrotik itself.