🟑 Medium   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 7

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Central SIEM receives no new events from affected host while local logging continues. Security monitoring blind spots appear and compliance evidence becomes incomplete.

Environment & Reproduction

Frequently follows TLS cert rotation, collector endpoint change, or firewall updates. Reproduce by configuring invalid remote target or blocking transport port and restarting rsyslog.

Root Cause Analysis

rsyslog cannot establish or maintain outbound session to collector due to endpoint, certificate, or network policy issues. Messages queue locally until retry succeeds or limits are hit.

Quick Triage

Check systemctl status rsyslog, validate config syntax with rsyslogd -N1, and inspect journalctl -u rsyslog. Confirm firewalld egress and DNS resolution to collector host.

Step-by-Step Diagnosis

Test collector connectivity, examine rsyslog action queue metrics, and verify TLS chain/trust settings. Correlate error bursts in journalctl with recent cert or network changes.

Illustrative mockup for rhel-7 β€” rsyslog-forwarding-fail
rsyslog queue grows while remote forwarding fails β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Correct forwarding destination and credentials/certs, open required outbound ports in firewalld, and restart rsyslog via systemctl or service rsyslog restart. Confirm queue drain progression.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for rhel-7 β€” rsyslog-forwarding-fix
Forwarding target corrected and queue drains β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Switch to RELP for reliable transport, add secondary collector failover, or buffer logs to disk queue with tuned retry intervals for outage resilience.

Verification & Acceptance Criteria

Collector should receive fresh events, local queue depth should return to baseline, and journalctl must show stable forwarding without repeated connection failures.

Rollback Plan

Restore previous rsyslog config and certificates, then restart service. If collector remains unavailable, retain local disk queue and escalate with security operations.

Prevention & Hardening

Monitor forwarding latency and queue depth, validate cert expiry before rotation windows, and enforce tested firewalld egress templates for logging infrastructure.

Related errors include action suspended and TLS handshake failure. Cross-reference chrony time sync (cert validation), DNS integrity, and central collector maintenance records.

Related tutorial: View the step-by-step tutorial for rhel-7.

View all rhel-7 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Use rsyslog forwarding documentation, Red Hat logging hardening guidance, and SIEM onboarding standards. Keep operational examples for systemctl and service command usage.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.