$ sudo openssl s_client -verify_return_error -connect 10.192.16.35:6514 -cert /etc/rsyslog/ssl/cert.pem -key /etc/rsyslog/ssl/server.key -CAfile /etc/ssl/certs/wmf-ca-certificates.crt
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = Wikimedia_Internal_Root_CA
verify return:1
depth=1 C = US, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = SRE Foundations, CN = puppet_rsa
verify return:1
depth=0 CN = centrallog2002.codfw.wmnet
verify return:1
---
Certificate chain
 0 s:CN = centrallog2002.codfw.wmnet
   i:C = US, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = SRE Foundations, CN = puppet_rsa
 1 s:C = US, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = SRE Foundations, CN = puppet_rsa
   i:C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = Wikimedia_Internal_Root_CA
 2 s:C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = Wikimedia_Internal_Root_CA
   i:C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = Wikimedia_Internal_Root_CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGtzCCBJ+gAwIBAgICAYUwDQYJKoZIhvcNAQELBQAweDELMAkGA1UEBhMCVVMx
FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoMGVdpa2ltZWRpYSBGb3Vu
ZGF0aW9uLCBJbmMxGDAWBgNVBAsMD1NSRSBGb3VuZGF0aW9uczETMBEGA1UEAwwK
cHVwcGV0X3JzYTAeFw0yMzExMTIxMjM3MDhaFw0yODExMTExMjM3MDhaMCUxIzAh
BgNVBAMMGmNlbnRyYWxsb2cyMDAyLmNvZGZ3LndtbmV0MIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAtBuUHZ74xeW0V/mxz+a1UPUAtm09NzyOL+doGMqw
9JLDcv1DNGomEto8pcOUA/Zeem4QrBF4x2vhVTmjoTmuH3z2dDmcOQpwVfAHhRYr
t9NRZ3VhKsMfhcS1+SASAYgSTxGw4ErzW9pRR6A9z/oGt/znG2NKx5WOB4cLtyM+
iwsUzsQnYKI1dbs7Hdk74+a+pQEMQX7oSfdTTuWyu99r6/ICa/knMDu7JXjsnaMr
MQ1qApFwkVfZWVoSirwE6qZx2inghcRwR49p0/LTBfslSM/jWI0FDiJHosiAdyjQ
gea5cZxnE1pIPwvqQJ1YxlcyVNndbgLt7Gle4zzD/bodAFSSJi/hhem6eNhHY0/f
vckOFjnfak6CFlfbrmpqaPRvqxsmtUY85rHeZBM2ZbSNpMKIe4B78IPAMfKivY1x
PfSKkxv9G3LrBf11pdCOlAiSb+atHplHevTX77RTknJ/qJwKo3aRyZ71LkWMJ0mY
O6SrMS33MfxkDqjlpG452mvAS0EQWhGjtCmLhDY4pErbrFB8nmkbCqBcb2XR7J8g
S9yUcIUR87rKw+furD+dzpS6dnKkvs7VIiaBLzU3PzVo9HBejFqmDwQvBteMLRv+
I9wrg8Ia0rHvn3jPYbfXen5aC6dXX929aAdIT1nYyB0394q0ni3jTKnPbUa9jDFl
eRECAwEAAaOCAZwwggGYMCUGA1UdEQQeMByCGmNlbnRyYWxsb2cyMDAyLmNvZGZ3
LndtbmV0MDEGCWCGSAGG+EIBDQQkFiJQdXBwZXQgU2VydmVyIEludGVybmFsIENl
cnRpZmljYXRlMIHcBgNVHSMEgdQwgdGAFGur9kcEqXw5kZCtAKJSrgZFzzpgoYGi
pIGfMIGcMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZV2lraW1lZGlhIEZvdW5kYXRpb24s
IEluYzEXMBUGA1UECxMOQ2xvdWQgU2VydmljZXMxIzAhBgNVBAMMGldpa2ltZWRp
YV9JbnRlcm5hbF9Sb290X0NBghQ5H5kAW2vMspimEMgYxr14Xo7QsjAdBgNVHQ4E
FgQUhkP+ApTk4dfSl0CG6B88iXiDYAowDAYDVR0TAQH/BAIwADAgBgNVHSUBAf8E
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3
DQEBCwUAA4ICAQCcU2VvIjbfOZuJAr+CpDUADJx7Jj2YGaITOsmALortteHwHF75
Vl6CI8/ViwGgY3HDsrg/VD+uuirfWGtPw2SO94yGX6551lYfFvSsYkD7Fdl20wyr
ZTYiNiFLFZQBDl+A/0QnS6qTvxCQUr1NLXoWbMfTvU6SNQQZyTrJ0rwxn70fAMMS
0BEmKS8XW16kydPvzMUMIlc5hhKtY9cnbATkTxM1Mn0m2vMfK8UO+fNmEtQaH1R6
DjdR4xUG1rZVGE9Mz7QDxphX+LD4njSJ8o05PMt++nimvjT5lVUZPSXzAcxmUvi+
BGdmoSuKS1GAZ7hyPnhP2HfNU9zEskRhg1bqrPJ04U/wLwogwj8CmQ3J/m30X+e9
XlgXMG+2MqBvL0rvNtCeTyXGKOZgPSd4k1GpAKNQPT+vXmWTDiKWtXLuM8GgeWhp
rPE9XmWaF7P+hjLCp6efcuqK1eaawcFV0InMQW9MayCGj+gdD2fnzENOzAcMF48L
ziX5B726J01W1QIAMg34Kh5nUYH5qCsrOKxVBSQK1fdbu9mKZb7BZ2kAGdhjTABL
t754xRQcnrOfej6IaH7mxcC0wT9+yb3F9D5LZ8uHJU/yGXSumClFMtDDPLjdMe+o
fQRD7gzYRfOug9YFjZYBnF4Imp/LNMWGgN3yGlExA0HR3gOFJjiO7pbzVQ==
-----END CERTIFICATE-----
subject=CN = centrallog2002.codfw.wmnet

issuer=C = US, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = SRE Foundations, CN = puppet_rsa

---
Acceptable client certificate CA names
CN = Puppet CA: palladium.eqiad.wmnet
C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = Wikimedia_Internal_Root_CA
Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4944 bytes and written 3737 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

# in the following everything succeeds (i.e. the message exist) 
$ sudo cumin 'A:buster' "grep -q 'rsyslogd: invalid cert inf' /var/log/syslog" 
# in the following everything fail (i.e. the message does not exist) 
$ sudo cumin 'A:bullseye or A:bookworm' "grep -q 'rsyslogd: invalid cert inf' /var/log/syslog"

centrallog2002:~$ tail -5 /srv/syslog/titan1002/syslog.log
Nov 14 11:16:06 titan1002 systemd[1]: prometheus_puppet_agent_stats.service: Consumed 1.603s CPU time.
Nov 14 11:16:14 titan1002 sshd[623763]: Connection from 208.80.154.88 port 40210 on 10.64.48.167 port 22 rdomain ""
Nov 14 11:16:14 titan1002 sshd[623763]: Connection closed by 208.80.154.88 port 40210 [preauth]
Nov 14 11:16:19 titan1002 sshd[623782]: Connection from 208.80.153.84 port 42646 on 10.64.48.167 port 22 rdomain ""
Nov 14 11:16:19 titan1002 sshd[623782]: Connection closed by 208.80.153.84 port 42646 [preauth]

centrallog2002:~$ tail -5 /srv/syslog/thanos-fe1001/syslog.log
Nov 14 11:18:22 thanos-fe1001 systemd[1]: prometheus-debian-version-textfile.service: Succeeded.
Nov 14 11:18:22 thanos-fe1001 systemd[1]: Finished Update Debian version stat exported by node_exporter.
Nov 14 11:18:39 thanos-fe1001 systemd[1]: Starting Update NIC firmware stats exported by node_exporter...
Nov 14 11:18:39 thanos-fe1001 systemd[1]: prometheus-nic-firmware-textfile.service: Succeeded.
Nov 14 11:18:39 thanos-fe1001 systemd[1]: Finished Update NIC firmware stats exported by node_exporter.