Hi I hope someone can help me! The syslog-ng in our environment sends syslog messages using tls to our SIEM (Qradar). The following is the configuration of the syslog-ng (ip changed): # First, set some global options. options { chain_hostnames(off); flush_lines(0); use_dns(yes); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); }; destination d_qradar_tls {tcp(„1.2.3.4" port(6514) tls( peer-verify(required-untrusted) ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); }; destination d_qradar_local { file("/tmp/qradar_local"); }; source s_testlog { file("/tmp/testlog" flags(no-parse)); }; log { source(s_testlog); destination(d_qradar_local); destination(d_qradar_tls); }; When I insert a message into the testlog it is parsed and written into the local destination „d_qradar_local“ but not sent to the remote destination. Syslog-NG in debugging mode (syslog-ng –Fevdt) shows the following: … Syslog connection established; fd='7', server=‚AF_INET(1.2.3.4:6514)', local='AF_INET(0.0.0.0:0)' Incoming log entry; line='test' Initializing destination file writer; template='/tmp/qradar_local', filename='/tmp/qradar_local' Destination timed out, reaping; template='/tmp/qradar_local', filename='/tmp/qradar_local' Closing log transport fd; fd=’15' Using tcpdump to check if some packets are sent to Qradar reveals that only the first insertion of a message into the testlog after a restart of syslog-ng leads to a packet sent to Qradar. Every other insertion has no effect on the remote destination but is always inserted into the local destination (file). Also during the start of syslog-ng two packets are sent to qradar. I’ve also opened a ticket at IBM and awating response. Thank you very much in advance for any help on this! Kind regards, Stefan -- University of Bern IT Services Department