Yes, the current solution isn’t very flexible, but I would want to avoid to run any other software on the firewall. Increasing the software stack - especially as it needs Go or Java - is probably not very flexible and will increase memory consumption massively.
The technically easiest choice seems to be upgrading the syslog daemon so that it supports TLS and make that port configurable. Or did I miss anything?