best response confirmed by vhusker1507 (Senior Member)

@vhusker1507 I had a similar problem in my test lab.  I realised that I needed to enable each syslog 'facility' category that I wanted the agent to collect.  Once I had examined the incoming packets at the syslog collector (using tcpdump if I remember) I noticed that they were coming in labelled as facility 'local0' or 'local7' and these weren't enabled on my Sentinel instance.


Within the associated log analytics workspace, check under advanced settings\data\syslog and ensure that you have the appropriate facilities listed to match your incoming packets (image attached).  If the correct ones arent listed then they get dropped.


Hope this helps.