Why does rsyslog warn that TLS is not active with streamdriver.mode=”0”?¶
If a connection is configured with plain transport (for example, streamdriver.mode="0",
UDP, or RELP tls="off"), TLS is not in use even if other TLS-related parameters are present.
What this warning means¶
The warning indicates that the effective transport is not TLS-protected. Common cases are:
imtcporomfwdwithstreamdriver.mode="0"(plain TCP)imtcporomfwdusing a TLS-capable stream driver such asossl,gtls, ormbedtlswhile the mode is still0; this includes drivers inherited fromglobal(defaultNetstreamDriver="...")omfwdwithprotocol="udp"imrelp/omrelpwithtls="off"
When these settings are active, encryption and certificate checks do not happen for that path.
Why this matters¶
If operators set TLS-related parameters (driver name, auth mode, certs) but transport mode still selects plain communication, configuration can look secure while traffic remains unencrypted. The warning is emitted to prevent this false sense of security.
How to fix¶
Pick one explicit model and make it consistent:
Use TLS intentionally: configure a TLS-capable stream driver and set
streamdriver.mode="1"/StreamDriverMode="1". SelectingStreamDriver="ossl","gtls", or"mbedtls"chooses the driver, but mode1is what activates TLS.Use plain transport intentionally: remove TLS-only parameters so intent is clear and warnings stop.
How to turn this warning off¶
These messages are emitted by compatibility secure mode warn.
You can silence them by changing the global policy:
global(compatibility.defaults.secure="backward-compatible"): keeps old insecure defaults and suppresses these warnings.global(compatibility.defaults.secure="strict"): promotes an omitted stream-driver mode to TLS mode1when the effective stream driver is TLS-capable. An explicitstreamdriver.mode="0"with a TLS-capable effective driver is rejected so that strict mode does not silently override explicit plain-TCP intent.
The recommended path is to keep warn until configuration is remediated,
then move to strict.
Primary tutorials¶
Encrypting Syslog Traffic with TLS (SSL) [short version] — end-to-end TLS setup basics
Encrypting Syslog Traffic with TLS (SSL) — certificate-based TLS deployment flow
Reliable Forwarding of syslog Messages with Rsyslog — forwarding patterns you can combine with TLS
See also¶
Why does rsyslog warn that anonymous TLS authentication allows MITM? — why anonymous TLS auth still permits MITM
Why do I see gibberish when connecting with TLS? — TLS client talking to a plain listener
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.