Sysklogd drop-in with remote logs separated by dynamic directory
From rsyslog wiki
This configuration will use expression-based filters mirror an existing sysklogd configuration and will additionally listen over the network and separate logs from remote hosts by using dynamically-created directories, while maintaining the same default sysklogd-style facility and priority filters in the remote directories.
Tested with 3.15.0-development.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
if \
$source == 'localhost' \
and ( \
$syslogseverity-text == 'info' \
or \
$syslogseverity-text == 'notice' \
) \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
if \
$source == 'localhost' \
and \
$syslogfacility-text == 'authpriv' \
then /var/log/secure
# Log all the mail messages in one place.
#mail.* -/var/log/maillog
if \
$source == 'localhost' \
and \
$syslogfacility-text == 'mail' \
then -/var/log/maillog
# Log cron stuff
#cron.* /var/log/cron
if \
$source == 'localhost' \
and \
$syslogfacility-text == 'cron' \
then /var/log/cron
# Everybody gets emergency messages
#*.emerg *
if \
$source == 'localhost' \
and \
$syslogseverity-text == 'emerg' \
then *
# Save news errors of level crit and higher in a special file.
#uucp,news.crit /var/log/spooler
if \
$source == 'localhost' \
and \
(\
$syslogfacility-text == 'uucp' \
or \
$syslogfacility-text == 'news' \
)\
and \
$syslogseverity-text == 'crit' \
then /var/log/spooler
# Save boot messages also to boot.log
#local7.* /var/log/boot.log
if \
$source == 'localhost' \
and \
$syslogfacility-text == 'local7' \
then /var/log/boot.log
# Remote logging
$ModLoad imudp
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
$template DYNmessages,"/var/log/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/%HOSTNAME%/boot.log"
if \
$source != 'localhost' \
and ( \
($syslogseverity-text == 'info') \
or \
($syslogseverity-text == 'notice') \
) \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then ?DYNmessages
if \
$source != 'localhost' \
and \
$syslogfacility-text == 'authpriv' \
then ?DYNsecure
if \
$source != 'localhost' \
and \
$syslogfacility-text == 'mail' \
then -?DYNmaillog
if \
$source != 'localhost' \
and \
$syslogfacility-text == 'cron' \
then ?DYNcron
if \
$source != 'localhost' \
and \
(\
$syslogfacility-text == 'uucp' \
or \
$syslogfacility-text == 'news' \
)\
and \
$syslogseverity-text == 'crit' \
then ?DYNspooler
if \
$source != 'localhost' \
and \
$syslogfacility-text == 'local7' \
then ?DYNboot
