Syslog TCP SSL input with NGINX reverse proxy


I would like to check with you my conf, because I am not sure of the differents options.

I have :

  • a Syslog input with TLS disabled
  • a NGINX reverse proxy
  • a linux server with rsyslog

Everything seems to work fine, but when I first tried some logs were not recieved by graylog. After deactivated and reactivated the option * ssl_session_cache* in NGINX, all the logs are in graylog. So I am asking if my reverse proxy is good.

Here are my conf of NGINX and syslog client
NGINX reverse proxy
Graylog nodes


  upstream linux_servers {

server {
        listen ssl;

        proxy_pass linux_servers;

        ssl_certificate       /etc/nginx/ssl/nginx_crt.pem;
        ssl_certificate_key   /etc/nginx/ssl/nginx_key.pem;
        ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        # ssl_session_cache     off;                                                                                                                                                            
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;


allow_override_date: true
charset_name: UTF-8
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 16
override_source: <empty>
port: 10516
recv_buffer_size: 1048576
store_full_message: true
tcp_keepalive: false
timezone: Europe/Paris
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
use_null_delimiter: false

RSYSLOG client

## GTLS driver
$DefaultNetstreamDriver gtls
# Certificates
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ChainedCA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/wildcard_cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/wildcard_key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.domain
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

*.*          @@;RSYSLOG_SyslogProtocol23Format
  • OS Information: Debian 11
  • Package Version: 5.2.2

Have I missed something important to improve performance and fiability ?



What Type of input are you using? It looks like your using TCP connection.


Yes it’s a input Syslog TCP

Did you try TCPDUMP on graylog server see if you can see the remote client?


Your are send syslog TCP with Nginx proxy using certificates for port 10516 with listen ssl. this would be TCP/TLS.
If this is correct then the INPUT should reflect with those certs I do believe. Troubleshooting would be is to disable your SSL and tried it with just


Also one of our cummunity members posted this,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.