Thanks for the good suggestion.
netstat -ano shows this line:
UDP 0.0.0.0:514 *:* 2908
PID 2908 in the task manager is Syslogd.exe *32, and since it's configured as an app (not a service) that makes sense.
I agree that it's likely that wireshark is looking at packets before the firewall rules are applied. I turned off the windows firewall in hopes of working around this.
kiwi syslogd still doesn't show any syslog info. I'll go see if I can find any other firewalls running. I can' see why this isn't working.
-Marty