diff --git a/README.md b/README.md
index 1eef97c298f1746e42576ae95f1ca8c255b3b94e..91c4bda29e7ce32542bc8ab00354625e84666ad3 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,8 @@ A [prometheus](http://prometheus.io/) exporter for [rsyslog](http://rsyslog.com)
 ## Rsyslog Configuration
 Configure rsyslog to push JSON formatted stats via omprog:
 ```
+module(load="omprog")
+
 module(
   load="impstats"
   interval="10"
@@ -17,13 +19,25 @@ ruleset(name="process_stats") {
   action(
     type="omprog"
     name="to_exporter"
-    binary="/usr/local/bin/rsyslog_exporter"
+    binary="/usr/local/bin/rsyslog_exporter [--tls.server-crt=/path/to/tls.crt --tls.server-key=/path/to/tls.key]"
   )
 }
 ```
 
 The exporter itself logs back via syslog, this cannot be configured at the moment.
 
+## Command Line Switches
+* `web.listen-address` - default `:9104` - port to listen to (NOTE: the leading
+  `:` is required for `http.ListenAndServe`)
+* `web.telemetry-path` - default `/metrics` - path from which to serve Prometheus metrics
+* `tls.server-crt` - default `""` - PEM encoded file containing the server certificate and
+  the CA certificate for use with `http.ListenAndServeTLS`
+* `tls.server-key` - default `""` - PEM encoded file containing the unencrypted
+  server key for use with `tls.server-crt`
+
+If you want the exporter to listen for TLS (`https`) you must specify both
+`tls.server-crt` and `tls.server-key`.
+
 ## Provided Metrics
 The following metrics provided by the rsyslog [impstats](https://www.rsyslog.com/doc/master/configuration/modules/impstats.html) module are tracked by rsyslog_exporter:
 
diff --git a/main.go b/main.go
index 037011d2bb32d93ff3e1f6a68a12ce413a40a915..90ef19f31fc95a93f21a1ba16fcd5ab4a03e9598 100644
--- a/main.go
+++ b/main.go
@@ -15,6 +15,8 @@ import (
 var (
 	listenAddress = flag.String("web.listen-address", ":9104", "Address to listen on for web interface and telemetry.")
 	metricPath    = flag.String("web.telemetry-path", "/metrics", "Path under which to expose metrics.")
+	certPath      = flag.String("tls.server-crt", "", "Path to PEM encoded file containing TLS server cert.")
+	keyPath       = flag.String("tls.server-key", "", "Path to PEM encoded file containing TLS server key (unencyrpted).")
 )
 
 func main() {
@@ -51,6 +53,13 @@ func main() {
 `))
 	})
 
-	log.Printf("Listening on %s", *listenAddress)
-	log.Fatal(http.ListenAndServe(*listenAddress, nil))
+	if *certPath == "" && *keyPath == "" {
+		log.Printf("Listening on %s", *listenAddress)
+		log.Fatal(http.ListenAndServe(*listenAddress, nil))
+	} else if *certPath == "" || *keyPath == "" {
+		log.Fatal("Both tls.server-crt and tls.server-key must be specified")
+	} else {
+		log.Printf("Listening for TLS on %s", *listenAddress)
+		log.Fatal(http.ListenAndServeTLS(*listenAddress, *certPath, *keyPath, nil))
+	}
 }