Splitting messages based on a site ID

From rsyslog wiki

In this scenario, we have multiple sites. At each site, local systems send messages to a central relay server which in turn sends the message to the central repository. The central repository should be able to identify the site in question.

We modify the syslog messages to include a site ID, which the central repository then extracts. We use a format that is easy to work with, utilizing the field-based extraction features. Please note, however, that future versions may have better ways to do it, so this should be considered an interim solution (I am writing this at the time when 3.17.x is the current devel version).

Please also note that cryptographic signatures, so they exist, will be invalidated by the approach taken here. So you do not want to do that if you need to preserve signatures (currently, this should not be a big concern given the fact that no real-life syslogd emits signatures).

On the relay server, you need to have this:

$template tplSiteID,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%,siteID,%msg%"
*.* @@centralsrv.example.net;tplSiteID

If you don't like to lose messages when something goes wrong, you can use the reliable RELP protocol. This needs just a slight modification on the client side:

$template tplSiteID,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%,siteID,%msg%"
*.* :omrelp:centralsrv.example.net;tplSiteID

On the receiver, you need to have this:

$template siteFile,"/home/rger/proj/rsyslog/sitelogs/%msg:F,44:2:%/messages"
*.* ?siteFile

Of course, you also need to load the necessary plugins (imtcp/imrelp) on the server to enable message reception via the selected protocol. Keep in mind that you also need to open up the ports in question in the firewall.

The logic on the receiver side extracts the site id and uses it as a directory name. Note that you can use the site id whereever you can use a template.