Hi @Soumya Banerjee ,
Welcome to Microsoft Q&A! Thanks for posting the question.
Based on my understanding, you are seeing connection to port 514 (which is used for forwarding syslog to syslog server) from your Linux VM running in Azure/Arc enabled VM. I did a test by installing "Azure Monitor Agent (AzureMonitorLinuxAgent extension) on an Azure VM through DCR and collected a network trace using tcpdump
on this machine. I did not see any communication for port 514 on my machine and confirm that the syslog
messages are getting collected in LogAnalytics Workspace.
It looks like syslog forwarding is enabled on you machine through some other mechanism because of which you are seeing connection on port 514. Can you please check and confirm that?
Also, in case the suggestion above does not help, can you please share details on - how are you seeing connection on port 514? Please check the IP as well and see if it belongs to any centralized Log/Event Message collector (or syslog server). For your reference, this link contains the IP used by Azure Monitor.
Please let me know if you have any questions.
---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.