The main reason to use Filebeat and not syslog is TLS support and better transport (TCP and resume).
Default PfSense uses UDP syslog and for bad internet connections the resume functions of Filebeat is also a reason for going that route.
For now my snort logs are working because they do not use clog. I will try if the clog -f would work for the other log. Maybe someone on the PfSense form knows if clog can be disabled