rsyslog: peer name not authorized - not permitted to talk to it
Turns out that the client was supplying an untrusted certificate.
Steps to figure this out:
On client, run: openssl s_client -connect :10514 and remediate any errors
on server, run: openssl s_client -connect :10514
in rsyslogd.conf, switch: $InputTCPServerStreamDriverAuthMode x509/name to $InputTCPServerStreamDriverAuthMode anon that allows any client to connect without authorizing the client. This ought to allow events to be submitted.
This narrowed it down to a client cert issue.