rsyslogd to a commercial cloud SIEM with encryption

rsyslog can be used to log locally and send the logs to a remote server.  Doing that while encrypting the traffic is a bit more challenging.

Kristian Reese has a wonderful guide here: https://kristianreese.com/2019/07/11/How-to-configure-rsyslog-7-4-9-with-TLS/

It gave me the basics, but my situation was going to a cloud commercial SIEM, and I couldn't generate the CA and the keys.

Turns out all you really need is the CA.pem for encryption to go.  I created /etc/rsyslog.d/tls.conf with these entries:

$DefaultNetstreamDriverCAFile /path/to/rsyslog pem files/<CA file name>.pem

$DefaultNetstreamDriver gtls

$ActionSendStreamDriverMode 1

$ActionSendStreamDriverAuthMode anon

*.* @@<destination name or ip>:<dest port> # send (all) messages - Adjust the logs to forward here

I restarted rsyslog (systemctl restart rsyslog), monitored my local log files to make sure they were still going there.  Then I went off and captured tcpdump traffic to make sure they were going to my destination as well, and were encrypted.