🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Security and operations lose centralized visibility when logs stop forwarding.

Environment & Reproduction

Typically occurs after SIEM certificate rotation or network route changes.

systemctl status rsyslog ; logger 'rsyslog test message'

Root Cause Analysis

TLS handshake failure, destination unreachable, or queue permissions halt forwarding action.

Quick Triage

Review rsyslog logs and validate remote endpoint connectivity.

sudo journalctl -u rsyslog -n 120 ; nc -zv  6514

Step-by-Step Diagnosis

Validate action config syntax and certificate paths.

sudo rsyslogd -N1 ; grep -ER 'omfwd|target|StreamDriver' /etc/rsyslog* ; ls -l /etc/pki/rsyslog
Illustrative mockup for rhel-10 — rsyslog-forward-fail-log
Rsyslog action suspended errors — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Fix destination/TLS config, restart rsyslog, and flush queue.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo vi /etc/rsyslog.d/50-forward.conf ; sudo systemctl restart rsyslog ; sudo journalctl -u rsyslog -n 50
Illustrative mockup for rhel-10 — rsyslog-forward-fail-fix
Forwarding queue recovered — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Temporarily forward over RELP/TCP without TLS in isolated network during incident response.

Verification & Acceptance Criteria

New test messages appear in SIEM and rsyslog reports no suspended actions.

logger 'siem forward verify' ; sudo journalctl -u rsyslog -n 40 | grep -Ei 'suspended|error'

Rollback Plan

Reinstate previous known-good forwarding config if new cert chain is incompatible.

Prevention & Hardening

Add certificate expiry monitoring and queue depth alerts for forwarding actions.

Often appears with firewall egress restrictions and DNS lookup latency.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Rsyslog forwarding and TLS setup documentation for RHEL environments.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.