Microsoft (until recently) has not natively supported syslog. Event viewer's native format is XML. While the LI agent can collect event viewer logs, it formats them in a proprietary way. It would be ideal to collect in a standard format so when forwarding such events to a third party syslog destination (e.g. SIEM) the third party could properly parse it (without a custom parser). XML is that standard for Microsoft.
Given the LI agent supports CFAPI and/or syslog this means for CFAPI the entire event could be XML and for syslog it could be syslog prefix + XML for unstructured message
Voting on Ideas
Vote for your favorite ideas by clicking on the up arrow.To undo an upvote, simply click the arrow again. This second click removes your vote.