rsyslog.conf

# Input modules
$ModLoad immark.so     # provide --MARK-- message capability
$ModLoad imuxsock.so   # provide local system logging (e.g. via logger command)
$ModLoad imudp         # provides UDP syslog reception
$ModLoad imtcp         # provides TCP syslog reception

# Output modules
$ModLoad omstdout.so       # provide messages to stdout

# Loggly template format
$template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [LOGGLY_AUTH_TOKEN@41058 tag=\"LOGGLY_TAG\"] %msg%\n"

# Setup disk assisted queues. An on-disk queue is created for this action.
# If the remote host is down, messages are spooled to disk and sent when
# it is up again.
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1     # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/loggly.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.loggly.com

# Send everything to Loggly over TLS
*.* @@logs-01.loggly.com:6514;LogglyFormat

# TCP Syslog Server
$InputTCPServerRun 514 # start a TCP syslog server at standard port 514

# UDP Syslog Server
$UDPServerRun 514      # start a UDP syslog server at standard port 514