$ModLoad imuxsock # provides support for local system logging
$ModLoad immark # provides --MARK-- message capability
$MarkMessagePeriod 900 # mark messages appear every 15 Minutes
+$ModLoad imtcp
+$InputTCPServerRun 514 # Accept TCP connections on the default syslog port
###########################
#### GLOBAL DIRECTIVES ####
$FileCreateMode 0640
$DirCreateMode 0755
+# Store any queues here. This directory is not created automatically, so it
+# must already exist!
+$WorkDirectory /var/spool/rsyslog
+
+# Use a (disk-assisted) main queue
+# Use a linked list for queueing
+$MainMsgQueueType LinkedList
+# Name to use for the queue file
+$MainMsgQueueFileName main
+# save in-memory data if rsyslog shuts down
+$MainMsgQueueSaveOnShutdown on
+
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
+########################
+#### Remote logging ####
+########################
-###############
-#### RULES ####
-###############
+# Log lines received from other servers (as well as our own logs) centrally.
+$template HostFacilityLog,"/data/log/rsyslog/hosts/%fromhost%/facilities/%syslogfacility-text%.log"
+$template HostSeverityLog,"/data/log/rsyslog/hosts/%fromhost%/severities/%syslogseverity-text%.log"
+$template HostAppLog,"/data/log/rsyslog/hosts/%fromhost%/apps/%app-name%.log"
+
+# Use a verbose logging format
+$template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
+
+# Log by facility, severity and appname
+*.* ?HostFacilityLog;LogFormat
+*.* ?HostSeverityLog;LogFormat
+*.* ?HostAppLog;LogFormat
+# Log all entries in a single file, which is meant to be parsed by logcheck
+# (hence the traditional format).
+*.* -/data/log/rsyslog/all.log;RSYSLOG_TraditionalFileFormat
+
+# Debugging format. Based on RSYSLOG_DebugFormat, available in later versions
+# of rsyslogd, with some variations.
+$template DebugFormat,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%', syslogtag: '%syslogtag%'\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
+# Uncomment this to have detailed logging for debugging
+#*.* -/data/log/rsyslog/debug.log;DebugFormat
+
+
+#######################
+#### Local logging ####
+#######################
+
+# Discard all log entries not locally generated. Newer versions of rsyslogd
+# have the $fromhost-ip property which can be checked against 127.0.0.1, which
+# is probably slightly more reliable, but this will work for now.
+if $fromhost != 'log' then ~
-#
# Log each facility into its own log
-auth,authpriv.* /var/log/auth.log
-cron.* -/var/log/user.log
-daemon.* -/var/log/daemon.log
-kern.* -/var/log/kern.log
-lpr.* -/var/log/lpr.log
-mail.* -/var/log/mail.log
-user.* -/var/log/user.log
+auth,authpriv.* /var/log/rsyslog/auth.log
+cron.* -/var/log/rsyslog/user.log
+daemon.* -/var/log/rsyslog/daemon.log
+kern.* -/var/log/rsyslog/kern.log
+lpr.* -/var/log/rsyslog/lpr.log
+mail.* -/var/log/rsyslog/mail.log
+user.* -/var/log/rsyslog/user.log
local0,local1,local2,\
local3,local4,local5,\
- local6,local7.* -/var/log/local.log
+ local6,local7.* -/var/log/rsyslog/local.log
# Omitted facilities: syslog, news, uucp, ftp
*.*;\
*.!=debug;\
auth,authpriv.none;\
- mail.none -/var/log/syslog
+ mail.none -/var/log/rsyslog/syslog
# Debug entries end up in debug.log as well as the corresponding facility log
# above (except for auth and mail, which only end up in the facility logs for
# privacy reasons).
*.=debug;\
auth,authpriv.none;\
- news.none;mail.none -/var/log/debug.log
+ news.none;mail.none -/var/log/rsyslog/debug.log
#
# Emergencies are sent to everybody logged in.
#