rsyslogd to a commercial cloud SIEM with encryption
rsyslog can be used to log locally and send the logs to a remote server. Doing that while encrypting the traffic is a bit more challenging.
Kristian Reese has a wonderful guide here: https://kristianreese.com/2019/07/11/How-to-configure-rsyslog-7-4-9-with-TLS/
It gave me the basics, but my situation was going to a cloud commercial SIEM, and I couldn't generate the CA and the keys.
Turns out all you really need is the CA.pem for encryption to go. I created /etc/rsyslog.d/tls.conf with these entries:
$DefaultNetstreamDriverCAFile /path/to/rsyslog pem files/<CA file name>.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon
*.* @@<destination name or ip>:<dest port> # send (all) messages - Adjust the logs to forward here
I restarted rsyslog (systemctl restart rsyslog), monitored my local log files to make sure they were still going there. Then I went off and captured tcpdump traffic to make sure they were going to my destination as well, and were encrypted.