Use rsyslog omfwd format.

Move above other rules because putting it at the bottom did not send
any packets.

Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>

roles/base/files/rsyslog/rsyslog.conf.log01.iad2.fedoraproject.org

@@ -160,6 +160,29 @@ kern.*						?r_kern;TraditionalFormat
 #                     MERGED  R E M O T E   L O G G I N G                          #
 #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
 
+# forward to splunk host, over tls
+#*.* @@splunk-syslog.corp.redhat.com:6514
+#*.* @@10.31.20.29:6514
+
+$DefaultNetstreamDriverCAFile /etc/pki/tls/certs/2022-IT-Root-CA.pem
+*.* action(
+    type="omfwd"
+    target="10.31.20.29"
+    port="6514"
+    protocol="tcp"
+    queue.filename="fwdRule1"       # unique name prefix for spool files
+    queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
+    queue.saveonshutdown="on"       # save messages to disk on shutdown
+    queue.type="LinkedList"         # run asynchronously
+    queue.size="100000"
+    action.resumeRetryCount="10"    # 10 retries if host is down
+    StreamDriver="gtls"
+    StreamDriverMode="1"
+    StreamDriverAuthMode="anon"     # not authenticated
+)
+
+
+
 #------------------------------------------------------------------------------#
 # remote messages log                                                          #
 #------------------------------------------------------------------------------#
@@ -215,10 +238,3 @@ local4.*					?m_http_apps;MergeFormat
 :msg, !contains, "type=AVC" ~
 local6.*					?m_audit;MergeFormat
 
-# forward to splunk host, over tls
-#*.* @@splunk-syslog.corp.redhat.com:6514
-*.* @@10.31.20.29:6514
-$DefaultNetstreamDriver gtls # use gtls netstream driver
-$ActionSendStreamDriverMode 1 # require TLS for the connection
-$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
-$DefaultNetstreamDriverCAFile /etc/pki/tls/certs/2022-IT-Root-CA.pem