Follow-up from epic #76. Depends on the TCP transport issue landing first (TLS sits on top of TCP framing).
Why
Compliance-sensitive deployments and any production-facing syslog collector typically require TLS. The simulator already has shared TLS cert infrastructure (see `manager.go:generateSharedTLSCert`) that could be reused.
Scope
- `-syslog-transport tls` option (builds on TCP issue).
- RFC 5425 framing (octet-counting over TLS on port 6514 by default).
- Cert plumbing: decide whether to reuse the shared TLS cert (same shape as HTTPS API), bundle a dedicated syslog-TLS cert, or accept operator-supplied certs via flag.
- Per-device source IP implications — TLS handshakes are expensive per-connection; design note required.
Out of scope
- Client-cert auth (mutual TLS).
References
- RFC 5425 "Transport Layer Security (TLS) Transport Mapping for Syslog"
- `go/simulator/manager.go` shared TLS cert generation
Follow-up from epic #76. Depends on the TCP transport issue landing first (TLS sits on top of TCP framing).
Why
Compliance-sensitive deployments and any production-facing syslog collector typically require TLS. The simulator already has shared TLS cert infrastructure (see `manager.go:generateSharedTLSCert`) that could be reused.
Scope
Out of scope
References