UDP Packets: visibility depends on IP address
I have a device that emits SYSLOG messages over a UDP address and port that I specify. If I specify an IP address inside my local router subnet, i.e., 192.168.50.xx (with a PC or Mac also inside, i.e., at another 192.168.50.yy), I can see the packets on WireShark.
If I change the device to specify an IP address outside my local router subnet (e.g., 52.2.xxx.yyy), they don't show up on Wireshark. However, I know they reach their destination (a SaaS logging service).
Note that I do see UDP packets from other devices in my home with Wireshark.
Note that the computers running Wireshare (PC, Mac) and device are all hardwired on same ethernet switch, which is connected to my home router through another switch. Firewall is off on both computers. All protocols are enabled in Wireshark. No other anti-virus software.
Can you provide more information about the topology. I would expect the syslog device will send the packet to the gateway, which will use PAT to convert the source IP address to a public IP. Performing a traceroute from the syslog device to the public IP address is an alternative method for troubleshooting. It will indicate if the packet needs to be routed to the port you are using for packet captures.