I have NXLog shipping my Windows Events to another Logstash machine working fine in just TCP. But I want to encrypt the traffic using a self signed certificate. I think I have a basic understanding of SSL but confused by the NXLog docs. The NXLog om_ssl docs shows:

<Output sslout>
    Module  om_ssl
    Host    localhost
    Port    23456
    CAFile  %CERTDIR%/ca.pem
    CertFile    %CERTDIR%/client-cert.pem
    CertKeyFile %CERTDIR%/client-key.pem
    KeyPass secret
    AllowUntrusted TRUE
    OutputType  Binary
</Output>

Does the CertKeyFile mean that the NXLog "client" need the Private key used to generate the CAFile? I thought the Logstash "server" would have and protect the private key, and the NXLog "client" would encrypt with the CertFile. And the CertFile would be validated against the CAFile.

CertFile and CertKeyFile can be used for client side cert based authentication, i.e. if you want trusted ssl connections. These are optional, if you want only encrypted traffic then leave these out.

CAFile is the certificate used to verify the remote end (server).