https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-syslog-source/rsyslog/

rsyslog.conf

replace & other settings as needed

module(load="imuxsock") # provides support for local system logging
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.conf

$ModLoad imudp.so
$UDPServerRun 514
$ModLoad imtcp.so
$InputTCPServerRun 514
$template DynamicFile,"/var/log/loghost/%HOSTNAME%/%syslogfacility-text%.log"
*.*    -?DynamicFile
$WorkDirectory /var/spool/rsyslog     # where to place spool files
$ActionQueueFileName fwdRule1         # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g           # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on         # save messages to disk on shutdown
$ActionQueueType LinkedList           # run asynchronously
$ActionResumeRetryCount -1            # infinite retries if host is down


$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt

template(name="SumoFormat" type="string" string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% <MY_SECRET_TOKEN> %msg%\n")

action(type="omfwd"
    protocol="tcp"
    target="syslog.collection.us2.sumologic.com"
    port="6514"
    template="SumoFormat"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog.collection.*.sumologic.com")