Per https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html the ClusterLogForwarder output attributes define the protocol used. To satisfy integrity of audit logs in transit, we must make sure that the outputs use TLS.

Looking at the docs, it should be enough to create a rule that ensures that either the https:// or the tls:// protocols are used.