# enable gtls driver and make it the default
$ModLoad imtcp
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
$DefaultNetstreamDriverCertFile /etc/ssl/certs/rsyslog.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode

# sample reception (repeat last line for each client)
#$InputTCPServerRun 514
#$InputTCPServerStreamDriverPermittedPeer *.example.net

# sample sending (repeat all lines for each server)
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#$ActionSendStreamDriverPermittedPeer central.example.net
#*.* @@central.example.net:514 # forward everything to remote server