TLS & Security¶
The forwarder supports encrypted connections to syslog servers using TLS 1.2 and TLS 1.3.
Enabling TLS¶
- Set Protocol to
TCP(TLS is not available over UDP) - Check Use TLS
- Click Start
From the command line:
TLS Versions¶
The forwarder negotiates TLS 1.2 or TLS 1.3, whichever the server supports. Older protocols (SSL 3.0, TLS 1.0, TLS 1.1) are not offered.
Internally this is configured via SslClientAuthenticationOptions:
Certificate Validation¶
By default, the forwarder validates the server's TLS certificate against the Windows certificate store. This verifies:
- The certificate is issued by a trusted CA
- The certificate has not expired
- The hostname matches the certificate's subject or SAN
Accepting Self-Signed Certificates¶
If your syslog server uses a self-signed or internal CA certificate, you have two options:
Option A -- Install the CA certificate (recommended):
Import the CA certificate into the Windows Trusted Root Certification Authorities store. The forwarder will then validate normally.
Option B -- Skip validation:
Uncheck Validate Cert in the GUI, or pass --no-verify on the command line:
Warning
Disabling certificate validation removes protection against man-in-the-middle attacks. Only use this for testing or on trusted networks.
When validation fails, the forwarder logs a warning:
Possible SslPolicyErrors values:
| Error | Meaning |
|---|---|
None |
Certificate is valid |
RemoteCertificateNameMismatch |
Hostname does not match certificate |
RemoteCertificateChainErrors |
CA chain is incomplete or untrusted |
RemoteCertificateNotAvailable |
Server did not present a certificate |
Connection Timeouts¶
TCP connections (with or without TLS) use a 10-second timeout for both the initial connection and the TLS handshake. If the server does not respond within this window, the connection attempt fails and the forwarder enters its retry/backoff cycle.
Server Name Indication (SNI)¶
The forwarder sends the target hostname as the SNI extension during the TLS handshake. This allows servers behind a reverse proxy or load balancer to present the correct certificate.
Protocol Interaction¶
When UDP is selected as the transport protocol:
- The Use TLS checkbox is automatically unchecked and disabled
- The Validate Cert checkbox is also disabled
- TLS settings are ignored in the CLI (
--tlshas no effect when--protocol UDPis specified)
Switching back to TCP re-enables both TLS controls.
Recommended Port Numbers¶
| Configuration | Port |
|---|---|
| Plaintext TCP/UDP syslog | 514 |
| TLS-encrypted syslog | 6514 |
| Alternate/custom | 1514 |
Port 6514 is the IANA-assigned port for syslog over TLS (RFC 5425).