Without Mutual Authentication:
In order to use TLS within the Syslog-ng Agent for Windows please ensure that the RootCA certificate, which is also used on the end destination, is stored on the Syslog-ng Agent for Windows host sending the logs within the computer certificates under the Trusted Root Certificate Authorities folder.
When the correct RootCA is stored in that location, the Syslog-ng Agent will automatically pick that up and use it to encrypt the logs to be sent to the destination.
Nothing else needs to be done other than to set TLS as the connector for the Agent within the config. No TLS certificate needs to be set within the config of the Syslog-ng agent.
NOTE - If no certificate is specified in the Syslog-ng Agent for Windows configuration, yet TLS is checked, the Agent will automatically default to TLS without mutual authentication.
Using Mutual Authentication:
In addition to the steps above, the specific certificate to be used by the Syslog-ng Agent for Windows host, which has been signed by the RootCA which has signed both the host and destination's certificates, needs to be applied in the config of the Syslog-ng Agent for Windows.
Again, both the Syslog-ng Agent for Windows host certificate and the end destination's certificate need to be signed by the same RootCA in order for mutual authentication to be successful. Wildcard certificates are valid.