It would be helpful if TCP Keepalives can be incorporated in outbound Syslog-TLS connections.
Reason being, currently, the Syslog Client on BT appliance have to maintain TLS connection for 2 hours. However, as with most enterprise firewalls, this Syslog-TLS connection is terminated by the firewall after 1 hour, due to TCP idling and no keepalives.
Because of this, any further TCP packets are denied by the firewall, including TCP RST to close the connection. Because of this, a lot of stale connections are left in ESTABLISHED state on Syslog server, eventually raising CPU spikes.
If TCP Keepalives are incorporated, and the firewall will not kill it.
(Another option: Raising Firewall Idle Time to 2 hrs, while this is possible, not very sustainable due to high number of connections on certain firewalls)