The TLS server certificate includes both a CN and SAN, but the rsyslog client is only validating against the CN and not the SAN entries.

When doing the server certificate validation the ISG 2.5.1.1 configured connect name is compared to the names presented in the certificate.

1) If an IP address is used to configure the connection to the remote syslog server, then the CN must include that IP.
Note: An IP address in the SAN will not work.
2) If a hostname is used to configure the connection to the remote syslog server, then either the CN or SAN must include that hostname.

ISG 2.5.1.1 can't process Server Certificate with (NAT) IP address in SAN field.

ISG 2.5.1.1

Issue has been fixed in ISG 2.5.2.1 where remote syslog messages failed to send over TLS with a SAN certificate (ISG-2346)