diff --git a/handlers/main.yml b/handlers/main.yml
index bc81858629577bd082a34325cd601eef4e15a221..21f7c6500688af1aea5f158c4e44184b03e54b17 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -3,3 +3,13 @@
 
 - name: Update CA store
   command: /usr/sbin/update-ca-certificates
+
+- name: Restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
+
+- name: Restart syslogd
+  service:
+    name: syslogd
+    state: restarted
diff --git a/tasks/syslog_forward.yml b/tasks/syslog_forward.yml
index 7669b8a6a612326b72ea2ea5b8a456fe0dc03d13..1d4b19a2494d82b606e9346da64c032ff33ea9f3 100644
--- a/tasks/syslog_forward.yml
+++ b/tasks/syslog_forward.yml
@@ -3,7 +3,28 @@
 - name: apt install rsyslog
   when: ansible_os_family == 'Debian'
   apt:
-    name: rsyslog
+    name: rsyslog-gnutls
     state: present
     update_cache: yes
     cache_valid_time: 3600
+
+- name: Configure rsyslog forwarding
+  when: ansible_os_family == 'Debian'
+  template:
+    src: forwarding.conf.j2
+    dest: /etc/rsyslog.d/forwarding.conf.j2
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+  - Restart rsyslog
+
+- name: Configure syslogd forwarding
+  when: ansible_os_family == 'OpenBSD'
+  lineinfile:
+    dest: /etc/syslog.conf
+    line: '*.* @tls://{{ syslog_server}}'
+    regexp: '^*.* @'
+    state: present
+  notify:
+  - Restart syslogd
diff --git a/templates/forwarding.conf.j2 b/templates/forwarding.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..96f001a46ebdf40693549542e6ac4217450fbfd1
--- /dev/null
+++ b/templates/forwarding.conf.j2
@@ -0,0 +1,9 @@
+$DefaultNetstreamDriver gtls
+$DefaultNetstreamDriverCAFile {{ tls_ca_cert_path }}
+$DefaultNetstreamDriverCertFile {{ tls_cert_path }}
+$DefaultNetstreamDriverKeyFile {{ tls_key_path }}
+
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer {{ syslog_server }}
+$ActionSendStreamDriverMode 1
+*.* @@{{ syslog_server }}