ePO syslog forwarding only supports the TCP protocol, and requires Transport Layer Security (TLS). Specifically, it supports receivers following RFC 5424 and RFC 5425, which is known as syslog-ng.

You do not need to import the certificate used by the syslog receiver into ePO. As long as the certificate is valid, ePO accepts it. Self-signed certificates are supported and are commonly used for this purpose.

ePO does not support Mutual TLS when connecting to a syslog receiver.

ePO supports TLSv1.2 and the following cipher suites:
 
The syslog receiver must support at least one of the above suites for the TLS handshake to succeed.
 
If your syslog receiver does not support the above requirements, event forwarding fails. The exact symptoms depend on the particular syslog receiver, but might include one or more of the following:

• When the Test Connection option on the syslog registered server page is clicked, an error message is displayed, or an ellipsis: '...'
• No events are received at the syslog receiver.
• Events are received, but the entire event is garbled and unreadable.

NOTES: 

• Parts of some product events, such as Data Loss Protection (DLP), are not readable. The text is unreadable because some products encrypt sensitive fields in the event. These fields are decrypted via the managed product extension to be displayed in ePO. Events are forwarded to the syslog receiver in their raw state before the extension decrypts them. So, the encrypted sections of the event are not readable.
• Events are forwarded using the event parser service, which exists on the ePO server itself and any additional Agent Handlers. So, all Agent Handlers must make a connection to the syslog receiver. If you have multiple syslog receivers configured, events are forwarded to all receivers. The ePO server and any additional Agent Handlers must be configured to communicate with all syslog receivers. So, you must adjust your firewall rules accordingly.