Microsoft (until recently) has not natively supported syslog. Event viewer's native format is XML. While the LI agent can collect event viewer logs, it formats them in a proprietary way. It would be ideal to collect in a standard format so when forwarding such events to a third party syslog destination (e.g. SIEM) the third party could properly parse it (without a custom parser). XML is that standard for Microsoft.
Given the LI agent supports CFAPI and/or syslog this means for CFAPI the entire event could be XML and for syslog it could be syslog prefix + XML for unstructured message