A syslog endpoint has been created for you in your logstash input config.

Click the configuration link on the stack you wish to log too in your dashboard.

Your logstash endpoint link and input configuration input is written out for you. Note you can send syslog over udp or tcp.

rsyslog configuration

Replace STACK_ID and SYSLOG_SSL_PORT with the values from your dashboard. Download file and place in /etc/rsyslog.d/keys/ca.d/.

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *

  1. If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  2. Ensure you have @@ not a single @ infront of the host. This is so TCP is used.