diff --git a/syslog/manifests/init.pp b/syslog/manifests/init.pp
index 38a2399..63a1608 100644
--- a/syslog/manifests/init.pp
+++ b/syslog/manifests/init.pp
@@ -10,11 +10,19 @@
 #   $syslog_server:
 #       Address of remote syslog server where to send logs.
 #
+#   $syslog_tlsserver:
+#       Address of remote syslog server where to send logs over TCP/TLS.
+#
 class syslog::client {
 
     if !$syslog_type {
         case $operatingsystem {
-            "centos": { $syslog_type = "syslogd" }
+            "centos": {
+                $syslog_type = $operatingsystemrelease ? {
+                    /^6/    => "rsyslog",
+                    default => "syslogd",
+                }
+            }
             "fedora": { $syslog_type = "rsyslog" }
             "openbsd": { $syslog_type = "syslogd" }
             "ubuntu": { $syslog_type = "rsyslog" }
@@ -83,6 +91,12 @@ class syslog::client::rsyslog {
         ensure => installed,
     }
 
+    if $operatingsystem != "OpenBSD" {
+        package { "rsyslog-gnutls":
+            ensure => installed,
+        }
+    }
+
     file { "/etc/rsyslog.conf":
         ensure  => present,
         content => template("syslog/rsyslog.conf.erb",
diff --git a/syslog/templates/rsyslog.conf.erb b/syslog/templates/rsyslog.conf.erb
index b1b997c..c8b0018 100644
--- a/syslog/templates/rsyslog.conf.erb
+++ b/syslog/templates/rsyslog.conf.erb
@@ -7,10 +7,12 @@ $ModLoad immark
 $ModLoad imklog
 # Provides support for local system logging (e.g. via logger command)
 $ModLoad imuxsock
+
 <% if operatingsystem == "OpenBSD" -%>
 # Local sockets for chrooted services
 $AddUnixListenSocket /var/empty/dev/log
 $AddUnixListenSocket /var/named/dev/log
 $AddUnixListenSocket /var/nsd/dev/log
 $AddUnixListenSocket /var/www/dev/log
+
 <% end -%>
diff --git a/syslog/templates/syslog.conf.OpenBSD.erb b/syslog/templates/syslog.conf.OpenBSD.erb
index bfee7a4..8415b4b 100644
--- a/syslog/templates/syslog.conf.OpenBSD.erb
+++ b/syslog/templates/syslog.conf.OpenBSD.erb
@@ -1,4 +1,3 @@
-
 *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none	/var/log/messages
 kern.debug;syslog,user.info				/var/log/messages
 auth.info						/var/log/authlog
@@ -12,11 +11,11 @@ mail.info						/var/log/maillog
 
 # Uncomment this line to send "important" messages to the system
 # console: be aware that this could create lots of output.
-#*.err;auth.notice;authpriv.none;kern.debug;mail.crit   /dev/console
+#*.err;auth.notice;authpriv.none;kern.debug;mail.crit	/dev/console
 
 # Uncomment this to have all messages of notice level and higher
 # as well as all authentication messages sent to root.
-#*.notice;auth.debug                                    root
+#*.notice;auth.debug					root
 
 # Everyone gets emergency messages.
-*.emerg                                                 *
+*.emerg							*
diff --git a/syslog/templates/syslog.conf.client.erb b/syslog/templates/syslog.conf.client.erb
index 9570f9e..802dbf3 100644
--- a/syslog/templates/syslog.conf.client.erb
+++ b/syslog/templates/syslog.conf.client.erb
@@ -1,8 +1,21 @@
 
 *.*		<% if operatingsystem != "OpenBSD" %>-<% end %>/var/log/all.log
 mark.*		<% if operatingsystem != "OpenBSD" %>-<% end %>/var/log/all.log
+<% if has_variable?('syslog_tlsserver') and syslog_type == "rsyslog" -%>
+
+$DefaultNetstreamDriver gtls
+$DefaultNetstreamDriverCAFile <%= puppet_ssldir %>/certs/ca.pem
+$DefaultNetstreamDriverCertFile <%= puppet_ssldir %>/certs/<%= homename %>.pem
+$DefaultNetstreamDriverKeyFile <%= puppet_ssldir %>/private_keys/<%= homename %>.pem
+
+$ActionSendStreamDriverMode 1
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer <%= syslog_tlsserver %>
+
+*.*		@@<%= syslog_tlsserver %>
+mark.*		@@<%= syslog_tlsserver %>
+<% elsif has_variable?('syslog_server') -%>
 
-<% if has_variable?('syslog_server') -%>
 *.*		@<%= syslog_server %>
 mark.*		@<%= syslog_server %>
 <% end -%>