Use authenticated TLS mode instead of anonymous mode: Configure certificate trust (CA/cert/key as required by module/driver). Use non-anonymous auth modes (for example x509-based modes) and set permitted peer constraints.

Encrypting Syslog Traffic with TLS (SSL) [short version] — TLS setup fundamentals Encrypting Syslog Traffic with TLS (SSL) — certificate workflow and trust model Setting up a client and Setting up the Central Server — practical endpoint configuration

Why does rsyslog warn that TLS is not active with streamdriver.mode=”0”? — TLS parameters present but TLS not active Why do I see gibberish when connecting with TLS? — symptom when TLS/plain transport do not match imtcp: TCP Syslog Input Module omfwd: syslog Forwarding Output Module imrelp: RELP Input Module omrelp: RELP Output Module Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project Contributing: Source & docs: rsyslog source project © 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.

Why does rsyslog warn that anonymous TLS authentication allows MITM?¶

Q: How to turn this warning off

These messages are emitted by compatibility secure mode warn. You can silence them by changing the global policy: global(compatibility.defaults.secure="backward-compatible"): keeps old insecure defaults and suppresses these warnings. global(compatibility.defaults.secure="strict"): enforces secure defaults and also suppresses these warnings because insecure defaults are no longer used. The recommended path is to keep warn until configuration is remediated, then move to strict.

TLS with anonymous authentication encrypts traffic but does not authenticate peer identity. Because identity is not verified, an active man-in-the-middle (MITM) can impersonate endpoints.

What this warning means¶

The warning appears when TLS is enabled but authentication mode is set to anonymous, for example:

streamdriver.authmode="anon" (imtcp / omfwd)
tls.authmode="anon" (imrelp / omrelp)

In this mode, you get encryption on the wire, but you do not get authenticated peer identity.

Why this matters¶

Without identity checks (certificate name or chain validation against expected peers), an attacker who can intercept traffic can present another endpoint and relay/alter messages. That is exactly the MITM risk the warning calls out.

How to fix¶

Use authenticated TLS mode instead of anonymous mode:

Configure certificate trust (CA/cert/key as required by module/driver).
Use non-anonymous auth modes (for example x509-based modes) and set permitted peer constraints.

How to turn this warning off¶

These messages are emitted by compatibility secure mode warn. You can silence them by changing the global policy:

global(compatibility.defaults.secure="backward-compatible"): keeps old insecure defaults and suppresses these warnings.
global(compatibility.defaults.secure="strict"): enforces secure defaults and also suppresses these warnings because insecure defaults are no longer used.

The recommended path is to keep warn until configuration is remediated, then move to strict.

Primary tutorials¶

Encrypting Syslog Traffic with TLS (SSL) [short version] — TLS setup fundamentals
Encrypting Syslog Traffic with TLS (SSL) — certificate workflow and trust model
Setting up a client and Setting up the Central Server — practical endpoint configuration