That's because the receiving end expects a syslog message.

OK. Maybe the question was too broad. What is your use case? Do you have non-syslog sources which you want to be sent to some syslog receiver? Or maybe you receive syslog data into your splunk which you want to index and also route to some other solution?

The receiver is a syslog-ng and expect Syslog over TLS, this is mandatory. I understand you want to challenge this, but in my case it is not possible to change it.

Actually I'm trying to see if your "incoming" part could be re-architected. But if you absolutely want to get your data to Splunk first, then export it on TLS-enabled syslog then good luck because that output doesn't seem to support that.

You could _try_ to set up a tcpout with sendCookedData=false but there is a huge caveat to that.

You can route your event to one tcpout group at a time. So in order to send your event to both - your splunk indexers and your external syslog - you'd have to bend over backwards to try to make it work with event cloning, routing and generally making a huge mess of your HF's internals.

Yes I know, so the simple feature "syslog" does not support TLS in splunk, that's a shame..

Thanks anyway !

Well cou can use a walkaround by installing a syslog server on your HF and sending unencrypted logs only on loopback device so that it doesn't traverse the network in plain form. In this syslog (either syslog-ng or rsyslog) server's configuration you'd configure TLS-enabled forwarding. That's how I'd approach it if I had such requirement.

Hi @davietch 

I think the best way to use tls for syslog sources,  the best way is: use syslog ng or rsyslog and use uf tls to send data.

Please check the example here

https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html

This one's kinda old and the current recommended solution for receiving syslog events is SC4S but saving to files and ingesting them from disk will also work of course.

And yes, that's what I was getting to - if the events which @davietch wants to send away are syslog-originated it is probably easier, more efficient and more maintainable to simply use a syslog-dedicated solution than to do that in splunk itself.