I have enabled remote syslog and I do not see logs for example when user does "sudo".
For me it looks like remote syslog does not get all the logs, because rsyslog cfg file include is defined after the filter for CRON, sudo and su is applied.
In /etc/rsyslog.conf this part:
$outchannel auth_log,/var/log/auth.log
if $programname == 'CRON' or
$programname == 'sudo' or
$programname == 'su'
then :omfile:$auth_log
if $programname == 'CRON' or
$programname == 'sudo' or
$programname == 'su'
then stopis before:
$IncludeConfig /etc/rsyslog.d/*.conf
and remote syslog server is defined in
/etc/rsyslog.d/00-vyos.conf