You are not using the Add-on to pull the logs from MS API as described in docs, If you are getting them from syslog server then are you storing them on files (or) directly trying to forward to Splunk HF/indexer?
if you are storing syslog on files and forwarding them via UF then you have to set-up inputs.conf and use the sourcetype=o365:management:activity
You need to find props.conf inside add-on having sourcetype - [o365:management:activity] and copy the props file to the Heavy Forwarder/Indexer depends on your set-up either to location /opt/splunk/system/local or /opt/splunk/etc/apps/<yourapp>/local/, then restart the HF/indexer.
This is a general stuff most of the Splunkers follow, you have to improvise depends on your set-up. The above process works for parsing only.
As per docs 'Splunk Add-on for Microsoft Office 365' is the right add-on to pull the logs from MS API. Since you are using syslog as intermediate to send the logs to Splunk, you shall check what's the change in log structure if there is a change (usually syslog messages having additional headers added) you shall write your own parsing during index time.
On search head you shall write your own field extractions, Splunk Documentation has list of sourcetypes - 'o365:management:activity' is the one where AD Audit logs being logged if you install add-on correctly (since you have syslog server not sure will this really work in your case).