IMHO you should be willing to spend some considerable time with the syslog-ng docs. I never have used syslog-ng myself. I just saw their FAQ and it contains a lot of pointers.
BTW Your idea of using tcpdump to wiretap the incoming logs is a very good one. If you first refrain from using encrypted logs, you can even see what is been sent/arriving.
I am afraid this is all the help I can give you this moment
