SYSLOG UDP is and has been a tried and true method for collecting messages from IOS XE and other devices for decades. SYSLOG UDP uses udp/512 for transport. The sender transmits messages in the clear to the server. As the industry embraces "encrypt everywhere" we should follow suit. SYSLOG TLS is a more modern method of moving these messages from the sender to the server. SYSLOG TLS uses Transport Layer Security to facilitate a TCP-based secure transport for SYSLOG messages. TLS provides confidentiality for the messages, integrity for the message, and mutual authentication for the sender and receiver.
In our examples, the Catalyst 9000 switch will always be a 'transport sender' or a 'TLS Client'. The SYSLOG server will be the 'transport receiver' or 'TLS Server'.
SYSLOG TLS is defined in RFC 5425
I believe SYSLOG TLS support was introduced in Catalyst 9000 in 17.2.
Most modern SYSLOG servers will support SYSLOG TLS.
SYSLOG TLS default port is tcp/6415
Certificates from an Enterprise CA as well as Self Signed Certificates are supported for authentication. This document explains how to use certificates from an Enterprise CA.
Install a Certificate on the Catalyst Switch
SYSLOG TLS requires certificates on both the sender (Cat9k) and the receiver (SYSLOG server). You can follow this guide for manual Certificate Enrollment. The certificate on the Cat 9000 should have the Client Auth EKU. See below in the Verification section for details.
Install a Certificate on the SYSLOG server
The certificate on the Cat 9000 should have the Server Auth EKU. The method of performing this will depend on your SYSLOG server.
Configure the Cat 9K for SYSLOG TLS
Create the logging profile
Be sure to point the trustpoint to the certificate that was created in Step 1. I'm forcing TLS1.2 primarily because TLSv1.1 should never be used if possible.
Please review your SYSLOG TLS server for it's supported cipher suites before enabling this feature in the TLS-PROFILE. CipherSuites are listed in order KeyExchange, Authentication, Bulk Encryption, Message Authentication CipherSuites are listed here with the strongest toward the top, IMO.