diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6c205c355f4c44c603af1df001b71df3a07ca2fd
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1 @@
+fluentd_cert_passphrase: ''
diff --git a/meta/main.yml b/meta/main.yml
index 55ae93d549abe3d417c9dbffd4e1a1c143e12c4a..13f53af6ff43d722b15c020c56f064d8dae3bb26 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,4 +1,5 @@
 ---
 
 dependencies:
+  - { role: fluentd-client }
   - { role: kibana }
diff --git a/tasks/main.yml b/tasks/main.yml
index ccf8b0d86c40359bca4078628f491e4f95680124..2977f04615f546cfa76d2f538764328e0d7e6cb5 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,16 +1,23 @@
-# fluentd
-# http://www.fluentd.org
-# Prepare: http://docs.fluentd.org/articles/before-install
-# curl -L https://toolbelt.treasuredata.com/sh/install-ubuntu-trusty-td-agent2.sh | sh
-#
-# UI: http://docs.fluentd.org/articles/fluentd-ui
-# Plugins
-# fluent-plugin-elasticsearch
-# fluent-plugin-record-reformer
-#
 # Tutorials
 # https://sonnguyen.ws/centralize-docker-logs-with-fluentd-elasticsearch-and-kibana/
 # https://sonnguyen.ws/monitor-nginx-response-time-with-fluentd-kibana-and-elasticsearch/
+#
+# Create SSL-Cert once upfront in the inventory and use the passührase similar to {{ fluentd_cert_passphrase }}:
+# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 90 -subj '/CN={{ fluentd_hostname }}'
 
 ---
 # file: roles/fluentd/tasks/main.yml
+
+- name: "Install Plugins"
+  command: td-agent-gem install {{ item }}
+  with_items:
+    - 'fluent-plugin-elasticsearch'
+    - 'fluent-plugin-record-reformer'
+
+- name: "Copy SSL Key"
+  copy:
+    src='{{ inventory_dir }}/files/ssl/td-agent/key.pem'
+    dest='/etc/ssl/td-agent/key.pem'
+    owner='root'
+    group='root'
+    mode=644
diff --git a/templates/td-agent.conf b/templates/td-agent.conf
new file mode 100644
index 0000000000000000000000000000000000000000..0218b7205b35fa62c753b4cb1f1d81ec30e15c5d
--- /dev/null
+++ b/templates/td-agent.conf
@@ -0,0 +1,23 @@
+<source>
+  @type secure_forward
+  shared_key {{ fluentd_shared_key }}
+  self_hostname {{ inventory_hostname }}
+  secure true
+  ca_cert_path /etc/ssl/td-agent/cert.pem
+  ca_private_key_path /etc/ssl/td-agent/key.pem
+  ca_private_key_passphrase {{ fluentd_cert_passphrase }}
+  authentication yes
+  <user>
+    username {{ fluentd_username }}
+    password {{ fluentd_password }}
+  </user>
+</source>
+
+<match **>
+  @type elasticsearch
+  logstash_format true
+  host 127.0.0.1
+  port 9200
+  index_name fluentd
+  type_name fluentd
+</match>