_Any_ protocol that does end-to-end crypto enables tunneling through the firewall. If you don't want to allow that, you have to have the firewall decrypt, analyze, and re-encrypt. For syslog, this is trivial - make the firewall a syslog forwarder.
Of course, it's practically impossible to stop all tunneling. I could implement a very slow tunnel by encoding bytes in the milliseconds of my log timestamps, and you'd be unlikely to discover me. This is not a syslog problem, it's a generic covert channel problem. -- Carson
