I found the solution myself: create a rule that uses <if_sid>1</if_sid>and makes an alert. Simple, but I didn't think of it until now.
<rule id="100028" level="2">
<if_sid>1</if_sid>
<description>Unmatched syslog entry</description>
</rule>
