Problem with Remote-Syslogserver over TLS

[towatai]

Hello everyone,

I have a small but annoying problem. We have a external SOC-provider and he should receive Syslogs from our OPNsense via a TLS connection on their Server. We have received a certificate from him, I have played it on our OPNsense and also specified it in the remote configuration of the logging. Port and hostname to the target server are set and correct.
If I now activate the remote connection, the following error message appears:

2024-12-12T10:22:01   Notice   configctl   event @ 1733995320.59 exec: system event config_changed response: OK

2024-12-12T10:22:01   Error   opnsense   /usr/local/sbin/pluginctl: The command '/usr/local/sbin/syslog-ng-ctl reload' returned exit code '1', the output was 'Syntax error parsing configuration file, previous config remained intact'

When importing my service provider's certificate, I left the field for the private key blank, as logically I don't have it and shouldn't actually need it for the connection to their server. I entered some random key there as a test and then the OPNsense tried to establish at least the TLS connection, which of course didn't work, but the error message that there was an "error in the configuration" disappeared. It seems as if the private key of my provider's target server is actually required...

That would go against all logic and represent an incalculable risk... Or two of the SOC employees and I have not understood the principle or the way OPNsense and Certificates works :D

So, if there is anyone here who sends their Syslogs to an external target server via TLS, I would be very happy to receive the all-important tip!

[Patrick M. Hausen]

You should IMHO get the cert of the CA that signed the server certificate for that syslog server and add that at System > Trust > Authorities.