The SYSLOG protocol contains no provision for authentication. Without authentication, it's possible for an attacker to spoof or masquerade as the legitimate source (Remote Support appliance) and to inject bogus event information to the SYSLOG receiver.
TLS mutual authentication provides a means for the SYSLOG receiver to authenticate the SYSLOG sender, by checking the fingerprint of the TLS client certificate.
If the transport receiver does not authenticate the transport sender, it may accept data from an attacker. Unless it has another way of authenticating the source of the data, the data should not be trusted. This is especially important if the syslog data is going to be used to detect and react to security incidents.
The transport receiver may also increase its vulnerability to denial of service, resource consumption, and other attacks if it does not authenticate the transport sender. Because of the increased vulnerability to attack, this type of configuration is NOT RECOMMENDED.
RFC 5425 requires that both syslog transport sender (TLS client) and syslog transport receiver (TLS server) MUST implement certificate-based authentication.
Without support for TLS client certificates, BeyondTrust's implementation of SYSLOG-over-TLS is not compliant with RFC 5425 and exposes customers' transport receivers to spoofing and masquerade attacks.