🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10.0 RHEL 10.1

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Central logging gaps appear because remote TLS forwarding queue stalls.

Environment & Reproduction

Begins immediately after server or intermediate CA certificate rotation.

systemctl status rsyslog
tail -n 50 /var/log/messages

Root Cause Analysis

Forwarder trusts old chain or key permissions prevent new certificate usage.

Quick Triage

Check rsyslog errors, trust anchors, and network reachability.

systemctl status rsyslog
firewall-cmd --list-ports
getenforce
journalctl -u rsyslog -n 100 --no-pager
dnf list installed rsyslog-gnutls

Step-by-Step Diagnosis

Validate remote cert chain and local key/cert references.

openssl s_client -connect loggw.example:6514 -servername loggw.example < /dev/null | head -n 80
grep -R 'DefaultNetstreamDriver' /etc/rsyslog* -n
ls -lZ /etc/pki/tls/private /etc/pki/tls/certs
Illustrative mockup for rhel-10 β€” rsyslog_tls_forwarding_failed
Rsyslog TLS forwarding interruption β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Install updated CA chain, verify permissions, and restart rsyslog.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo cp new-ca.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
sudo restorecon -Rv /etc/pki
sudo systemctl restart rsyslog
sudo systemctl restart firewalld
Illustrative mockup for rhel-10 β€” rsyslog_tls_forwarding_restored
Updated cert chain and resumed log forwarding β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Switch temporarily to RELP with controlled trust settings during emergency restoration.

sudo dnf install rsyslog-relp -y
sudo systemctl restart rsyslog

Verification & Acceptance Criteria

Forwarding queue drains and remote collector receives new test messages.

logger -p user.info 'rsyslog tls test'
journalctl -u rsyslog -n 40 --no-pager

Rollback Plan

Restore previous rsyslog TLS configuration and trust bundle snapshot.

sudo cp /root/backup/rsyslog.conf /etc/rsyslog.conf
sudo cp /root/backup/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/
sudo systemctl restart rsyslog

Prevention & Hardening

Automate certificate rotation smoke tests for all log forwarders.

openssl x509 -in /etc/pki/tls/certs/rsyslog.crt -noout -enddate

Related to hostname validation mismatch and expired intermediate CAs.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

rsyslog TLS forwarding setup and certificate lifecycle management documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.