Ideally, network devices like a router, firewall or VPN appliance should forward their syslog directly to LEM. However, before doing so, you'll want to make sure that LEM has a connector built for said device. In our case, we have an Cisco ASA as our VPN appliance and so we use the Cisco PIX and IOS connector. Hope that helps!
In our experience, it depends on the connector.
For example, the Windows Application connector has a "catch-all" pattern at the end which is designed to pick up events for which there aren't (currently) more specific patterns. But that "catch-all" pattern is only designed to pick up Error and Warning events, not Information. Some of the more specific patterns in the connector may detect Info events, but the generic "catch-all" is not designed for that.
So depending on how the connector you're using was designed, it may not be built to take in every message, but to focus on what are deemed to be the most important ones (i.e. those with higher severities). I can't say for sure, but my guess would be that that is to avoid potentially overwhelming the LEM server with events which generally are not the most critical.
That makes sense about the connector. Some devices I found were sending me almost everything like the Cisco ASA but a Cisco Switch would only send me events with higher severity.