diff --git a/group_vars/all.yml b/group_vars/all.yml
index dfb09cf..bd84047 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -14,6 +14,9 @@ mail_domain: foo.sh
 ldap_basedn: dc=foo,dc=sh
 ldap_server: [ldap.foo.sh]
 
+# log server
+log_server: loghost.foo.sh
+
 # kerberos settings
 kerberos_realm: FOO.SH
 
diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml
index f23ed22..6336075 100644
--- a/roles/syslogd/tasks/main.yml
+++ b/roles/syslogd/tasks/main.yml
@@ -26,6 +26,20 @@
     regexp: "^/var/log/all.log.*"
     line: "/var/log/all.log root:{{ ansible_wheel }}	640  7     *    $D0  Z"
 
+- block:
+    - name: configure certificates for remote logging
+      service:
+        name: syslogd
+        arguments: "-h -c {{ tls_certs }}/{{ inventory_hostname }}.crt -k {{ tls_private }}/{{ inventory_hostname }}.key"
+        enabled: yes
+    - name: enable remote logging
+      lineinfile:
+        path: /etc/syslog.conf
+        regexp: '^\*\.\* @.*'
+        line: "*.* @tls://{{ log_server }}:6514"
+      notify: restart syslogd
+  when: inventory_hostname != "log01.home.foo.sh"
+
 - name: include server config
   include_tasks: server.yml
   when: inventory_hostname == "log01.home.foo.sh"