I'm setting up rsyslog to tunnel syslog-messages via TLS to the loghost.
This is the config file I'm using - found it in the rsyslog documentation:
; Certificate/key is needed in server mode
cert = /etc/stunnel/stunnel.pem
; Some debugging stuff useful for troubleshooting
debug = 7
accept = 60514
connect = 61514
Don't see anything about allowing plain TCP, so I'm guessing it it the default or something.