I would like to get my on-demand ami instances using rsyslog to ship application log messages to my middleware (also an AWS ami). The messages are generated by our analysis application which is using logback.
I have the necessary re-configurations in my UserData init script

systemctl stop rsyslog
printf "%s\n" '""" _ rsyslogForward(ACCSERVER) _ """' | sed 's/__/"/'g >> /etc/rsyslog.d/loghost.conf;
printf "& stop\n" >> /etc/rsyslog.d/loghost.conf
systemctl start rsyslog

and I'm hopeful that will work. Meanwhile I'm testing from a static linux instance which can see ACCSERVER (At least it can hit the port of the custom service running there on 15002) with the following in /etc/rsyslog.d/loghost.conf using

local3.info action(type="omfwd" target="10.0.2.28" port="514" protocol="tcp"
** action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")**
& stop

The log server (10.0.2.28) has this directive in it's /etc/rsyslog.d/50-sgs.conf

local3.info /var/log/sgs.log
& stop

and tcp enabled in rsyslog.conf

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

On the static instance (source of messages) I can turn the "stop" directive off an on and respectively I get/don't get my tests in /var/log/messages. From this I take it that I'm sending log messages /somewhere else/ when I have the stop enabled. But the tests never make it the servers log files: not in /var/log/messages nor the custom /var/log/sgs.log. I've restarted rsyslog on both machines (over and over). /var/log/sgs.log exists and accepts test messages from localhost

[root@ip-10-0-2-28 ]# logger -p local3.info test SGS3TEST message
[root@ip-10-0-2-28 ]# grep SGS3TE /var/log/sgs.log
Dec 6 23:49:47 ip-10-0-2-28 ec2-user: test SGS3TEST message

Any help appreciated