Like it says: "udp 0 0 0.0.0.0:514" means syslogd *is* listening on local UDP/514. Next to that, UDP is a *stateless* protocol.
Btw, last time I TS'ed someones syslogd it was a default fw script blocking. AFAIK, libpcap stuff like Snort or tcpdump go *before* fw routing. If you can't tell from the logs, try to add a log rule to all rejects and denies and it'll show if fw is the culprit.