Remote

On the host:

$ doas rcctl set syslogd flags -S host.example.com:55106 -K /etc/ssl/cert.pem

On the client:

$ doas rcctl set syslogd flags -c /etc/ssl/client.example.com.fullchain.pem -k /etc/ssl/private/client.example.com.key

In /etc/syslog.conf:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @tls4://host.example.com:55106
auth,daemon,syslog,user.info;authpriv,kern.debug                @tls4://host.example.com:55106