When you set the syslog transport to TLS, the resulting config is invalid.

Here is the relevant config seen in /etc/local/syslog-ng.conf
destination loghost { syslog("syslog.btsys.org" port(514) transport("tls") tls(ca-dir("/etc/certificates"))); };

The only TLS setting actually set is the ca-dir, but even that is set to the wrong value (it's pointing to the client cert not the CA cert).

The other critical settings of client cert and client key are missing.

Lastly, the config assumes the port is remaining 514 where the standard port for syslog with TLS is 6514.

Here's a reference from Syslog-NG: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/55#TOPIC-956596

I tested replacing that config line with a proper line that specifies all the critical settings and the proper port and see that this works as expected then.

What I think you should do is:
1. Add options to the UI to specify the port. This would be great for more than just syslog over TLS; any of the transports could be using a different port.
2. Properly set the client cert and key when selected from the UI.
3. Add a new dropdown to the UI to select the CA cert. This could pull from the CAs that can be defined in the UI and are already stored in /etc/certificates/CA. A symlink to the hash will also be needed here, just like is already done for the client cert.
4. As a nice to have, while touching this area it would be nice to add netconsole support to get kernel messages as the system starts.