vyos · c-po · Oct 24, 2025 · Oct 24, 2025
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
@@ -101,7 +101,7 @@ if prifilt("{{ tmp | join(',') }}") then {
         target="{{ remote_name }}"
         # Port on the remote syslog server
         port="{{ remote_options.port }}"
-        protocol="{{ 'tcp' if tls.enable is vyos_defined else remote_options.protocol }}"
+        protocol="{{ 'tcp' if tls is vyos_defined else remote_options.protocol }}"
 {%             if remote_options.format.include_timezone is vyos_defined %}
         template="RSYSLOG_SyslogProtocol23Format"
 {%             endif %}
@@ -112,7 +112,7 @@ if prifilt("{{ tmp | join(',') }}") then {
 {%             if remote_options.vrf is vyos_defined %}
         Device="{{ remote_options.vrf }}"
 {%             endif %}
-{%             if tls.enable is vyos_defined %}
+{%             if tls is vyos_defined %}
 {%                 set auth_mode = tls.auth_mode %}
         # Specify the use of the OpenSSL TLS driver for this action
         StreamDriver="ossl"

diff --git a/interface-definitions/system_syslog.xml.in b/interface-definitions/system_syslog.xml.in
@@ -70,12 +70,6 @@
                   <help>Transport Layer Security (TLS) options for secure syslog</help>
                 </properties>
                 <children>
-                  <leafNode name="enable">
-                    <properties>
-                      <help>Enable TLS encryption for log transmission to this remote syslog server</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
                   <!-- CA cert help should describe trust anchor for server/client validation -->
                   #include <include/pki/ca-certificate.xml.i>
                   <!-- Certificate help should specify identity for mutual authentication -->

diff --git a/smoketest/scripts/cli/test_system_syslog.py b/smoketest/scripts/cli/test_system_syslog.py
@@ -305,12 +305,17 @@ def test_remote_tls(self):
         self._set_tls_certificates()
 
         rhosts = {
+            '172.10.0.1': {
+                'facility': {'all': {'level': 'debug'}},
+                'port': '6514',
+                'protocol': 'udp',
+                'tls': {},
+            },
             '172.10.0.2': {
                 'facility': {'all': {'level': 'debug'}},
                 'port': '6514',
                 'protocol': 'udp',
                 'tls': {
-                    'enable': True,
                     'auth-mode': 'anon',
                 },
             },
@@ -319,7 +324,6 @@ def test_remote_tls(self):
                 'port': '6514',
                 'protocol': 'tcp',
                 'tls': {
-                    'enable': True,
                     'ca-certificate': ca_cert_name,
                     'auth-mode': 'certvalid',
                 },
@@ -329,7 +333,6 @@ def test_remote_tls(self):
                 'port': '6514',
                 'protocol': 'tcp',
                 'tls': {
-                    'enable': True,
                     'ca-certificate': ca_cert_name,
                     'certificate': client_cert_name,
                     'auth-mode': 'fingerprint',
@@ -341,7 +344,6 @@ def test_remote_tls(self):
                 'port': '6514',
                 'protocol': 'tcp',
                 'tls': {
-                    'enable': True,
                     'ca-certificate': ca_cert_name,
                     'certificate': client_cert_name,
                     'auth-mode': 'name',
@@ -368,11 +370,11 @@ def test_remote_tls(self):
                 self.cli_set(remote_base + ['protocol'], value=protocol)
 
             tls = remote_options['tls']
-            for key, value in tls.items():
-                if key == 'enable':
-                    self.cli_set(remote_base + ['tls', 'enable'])
-                else:
+            if tls:
+                for key, value in tls.items():
                     self.cli_set(remote_base + ['tls', key], value=value)
+            else:
+                self.cli_set(remote_base + ['tls'])
 
         self.cli_commit()
 
@@ -414,6 +416,9 @@ def test_remote_tls(self):
                     value = tls['permitted-peers']
                     self.assertIn(f'StreamDriverPermittedPeers="{value}"', config)
 
+                if not tls:
+                    self.assertIn(f'StreamDriverAuthMode="anon"', config)
+
     def test_vrf_source_address(self):
         rhosts = {
             '169.254.0.10': { },

diff --git a/src/conf_mode/system_syslog.py b/src/conf_mode/system_syslog.py
@@ -52,7 +52,7 @@ def _cleanup_tls_certs():
 
 
 def _remote_has_tls(remote_options):
-    return 'tls' in remote_options and 'enable' in remote_options['tls']
+    return 'tls' in remote_options
 
 
 def _verify_tls_remote_options(remote, remote_options, syslog):
@@ -138,6 +138,11 @@ def get_config(config=None):
             tmp  = conf.return_value(['system', 'domain-name'])
             syslog['preserve_fqdn']['domain_name'] = tmp
 
+    # prune 'remote <remote> tls' if it was not set by user
+    for remote in syslog.get('remote', {}):
+        if syslog.from_defaults(['remote', remote, 'tls']):
+            del syslog['remote'][remote]['tls']
+
     return syslog
 
 def verify(syslog):