diff --git a/lib/fluent/plugin/out_syslog_rfc5424.rb b/lib/fluent/plugin/out_syslog_rfc5424.rb
index 49c3ce1..7281b3e 100644
--- a/lib/fluent/plugin/out_syslog_rfc5424.rb
+++ b/lib/fluent/plugin/out_syslog_rfc5424.rb
@@ -13,6 +13,14 @@ class OutSyslogRFC5424 < Output
       config_param :transport, :string, default: "tls"
       config_param :insecure, :bool, default: false
       config_param :trusted_ca_path, :string, default: nil
+      config_param :verify_fqdn, :bool, default: nil
+      config_param :client_cert_path, :string, default: nil
+      config_param :private_key_path, :string, default: nil
+      config_param :private_key_passphrase, :string, default: nil, secret: true
+      config_param :allow_self_signed_cert, :bool, default: false
+      config_param :enable_system_cert_store, :bool, default: true
+      config_param :fqdn, :string, default: nil
+      config_param :version, :string, default: "TLSv1_2"
       config_section :format do
         config_set_default :@type, DEFAULT_FORMATTER
       end
@@ -62,7 +70,18 @@ def socket_options
           { connect: true }
         elsif @transport == 'tls'
           # TODO: make timeouts configurable
-          { insecure: @insecure, verify_fqdn: !@insecure, cert_paths: @trusted_ca_path } #, connect_timeout: 1, send_timeout: 1, recv_timeout: 1, linger_timeout: 1 }
+          {
+            insecure: @insecure,
+            verify_fqdn: @verify_fqdn.nil? ? !@insecure : @verify_fqdn,
+            cert_paths: [@trusted_ca_path],
+            cert_path: @client_cert_path,
+            private_key_path: @private_key_path,
+            private_key_passphrase: @private_key_passphrase,
+            allow_self_signed_cert: @allow_self_signed_cert,
+            enable_system_cert_store: @enable_system_cert_store,
+            fqdn: @fqdn,
+            version: @version.to_sym
+          } #, connect_timeout: 1, send_timeout: 1, recv_timeout: 1, linger_timeout: 1 }
         else
           {}
         end
diff --git a/test/plugin/out_syslog_rfc5424_spec.rb b/test/plugin/out_syslog_rfc5424_spec.rb
index 684aa26..230703f 100644
--- a/test/plugin/out_syslog_rfc5424_spec.rb
+++ b/test/plugin/out_syslog_rfc5424_spec.rb
@@ -35,9 +35,9 @@ def test_sends_a_message
     stub(socket).close
 
     stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
-    
+
     any_instance_of(Fluent::Plugin::OutSyslogRFC5424) do |fluent_plugin|
-      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil, :cert_path=>nil, :private_key_path=>nil, :private_key_passphrase=>nil, :allow_self_signed_cert=>false, :enable_system_cert_store=>true, :fqdn=>nil, :version=>"TLSv1_2"}).returns(socket)
     end
 
     output_driver.run do
@@ -55,7 +55,7 @@ def test_reconnects
     bad_socket = Object.new
     mock(bad_socket).write_nonblock(@formatted_log)
     stub(bad_socket).close
-    
+
     good_socket = Object.new
     mock(good_socket).write_nonblock(@formatted_log)
     stub(good_socket).close
@@ -64,8 +64,8 @@ def test_reconnects
     mock(IO).select(nil, [good_socket], nil, 1) { ["not an error"] }
 
     any_instance_of(Fluent::Plugin::OutSyslogRFC5424) do |fluent_plugin|
-      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(bad_socket)
-      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(good_socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil, :cert_path=>nil, :private_key_path=>nil, :private_key_passphrase=>nil, :allow_self_signed_cert=>false, :enable_system_cert_store=>true, :fqdn=>nil, :version=>"TLSv1_2"}).returns(bad_socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil, :cert_path=>nil, :private_key_path=>nil, :private_key_passphrase=>nil, :allow_self_signed_cert=>false, :enable_system_cert_store=>true, :fqdn=>nil, :version=>"TLSv1_2"}).returns(good_socket)
     end
 
     output_driver.run(shutdown: false, force_flush_retry: true) do
@@ -112,7 +112,7 @@ def test_insecure_tls
     stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
 
     any_instance_of(Fluent::Plugin::OutSyslogRFC5424) do |fluent_plugin|
-      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>true, :verify_fqdn=>false, :cert_paths=>nil}).returns(socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>true, :verify_fqdn=>false, :cert_paths=>nil, :cert_path=>nil, :private_key_path=>nil, :private_key_passphrase=>nil, :allow_self_signed_cert=>false, :enable_system_cert_store=>true, :fqdn=>nil, :version=>"TLSv1_2"}).returns(socket)
     end
 
     output_driver.run do
@@ -136,7 +136,39 @@ def test_secure_tls
     stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
 
     any_instance_of(Fluent::Plugin::OutSyslogRFC5424) do |fluent_plugin|
-      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>"supertrustworthy"}).returns(socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>"supertrustworthy", :cert_path=>nil, :private_key_path=>nil, :private_key_passphrase=>nil, :allow_self_signed_cert=>false, :enable_system_cert_store=>true, :fqdn=>nil, :version=>"TLSv1_2"}).returns(socket)
+    end
+
+    output_driver.run do
+      output_driver.feed("tag", @time, {"log" => "hi"})
+    end
+  end
+
+  def test_secure_mutual_tls
+    output_driver = create_driver %(
+      @type syslog_rfc5424
+      host example.com
+      port 123
+      transport tls
+      verify_fqdn true
+      trusted_ca_path supertrustworthy
+      client_cert_path clientsupertrustworthykey
+      private_key_path clientsupertrustworthykey
+      private_key_passphrase clientsupertrustworthypassphrase
+      allow_self_signed_cert false
+      enable_system_cert_store true
+      fqdn supertrustworthyfqdn
+      version "TLSv1_2"
+    )
+
+    socket = Object.new
+    mock(socket).write_nonblock(@formatted_log)
+    stub(socket).close
+
+    stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogRFC5424) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>"supertrustworthy", :cert_path=>"supertrustworthy", :private_key_path=>"clientsupertrustworthykey", :private_key_passphrase=>"clientsupertrustworthykey", :allow_self_signed_cert=>false,  :enable_system_cert_store=>true, :fqdn=>"supertrustworthyfqdn", :version=>"TLSv1_2"}).returns(socket)
     end
 
     output_driver.run do
@@ -158,7 +190,7 @@ def test_close_is_called_on_sockets
     stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
 
     any_instance_of(Fluent::Plugin::OutSyslogRFC5424) do |fluent_plugin|
-      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil, :cert_path=>nil, :private_key_path=>nil, :private_key_passphrase=>nil, :allow_self_signed_cert=>false, :enable_system_cert_store=>true, :fqdn=>nil, :version=>"TLSv1_2"}).returns(socket)
     end
 
     output_driver.run do