Technically, you could do a common list of CA's and bind them to all inputs (or just make one input with all those CAs) but I suppose you might not want that.  In that case you just bind one CA to one input and another CA to another input. You can then even limit access to just allowed SANs.

Hello @PickleRick  yes there are compliance rules in our case. Thanks for your help.

That's what I feared. You might run into performance issues. You've been warned.

Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. If you have the option, I'd advise to set up a separate syslog collector (rsyslog/vanilla syslog-ng/SC4S - in no particular preference order) and either write to files and read from them with a UF or send via HEC to downstream.

But then again - you might not have the possibility here if you have compliance requirements.

Hi @PickleRick  we have already tested it's ok with 100 gb/day.

Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?

I found this doc : https://support.checkpoint.com/results/sk/sk122323

Thanks for your help.

As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular input/output level, you will have those settings in force at that point.

So yes, you can have separate certs on each "endpoint" but honestly, I don't see much gain in this. The only use case I could think of to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs.