How would you send syslog *securely* over the public Internet?

Have you tried syslog-ng and stunnel?

1. Install Stunnel
2. Create certificate files for syslog-ng over Stunnel
3. Configure Stunnel for Use With syslog-ng
4. Install syslog-ng
5. Configure syslog-ng
6. DONE!

NOTE:

Stunnel (http://www.stunnel.org) is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.

Short answer: VPN

It may seem overkill, but it is the right answer and not that complicated to set up.

Rsyslog can do this. Encrypting Syslog Traffic with TLS

You might also check out the free Kiwi Secure Tunnel http://www.solarwinds.com/products/kiwi_syslog_server/related_tools.aspx

Use syslog-ng or another syslog daemon that supports TCP.

Send the data over an encrypted tunnel. Don't use an ssh tunnel, it is too fiddly.

UDP syslog is a historical braindamaged protocol that should have been eliminated long ago. If your vendor provides it by default, please lean on them.

If your vendor does not provide a syslog solution that signs each message before sending it on, lean on them.

The software is easy, the algorithms are easy. The politics of getting it installed by default are not.