#################
$ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog # provides kernel logging support (previously done by rklogd)
-#$ModLoad immark # provides --MARK-- message capability
-
-# provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
-
-# provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
+$ModLoad immark # provides --MARK-- message capability
+$MarkMessagePeriod 900 # mark messages appear every 15 Minutes
+$ModLoad imtcp
+$InputTCPServerRun 514 # Accept TCP connections on the default syslog port
###########################
#### GLOBAL DIRECTIVES ####
#
$IncludeConfig /etc/rsyslog.d/*.conf
+########################
+#### Remote logging ####
+########################
+
+# Log lines received from other servers (as well as our own logs) centrally.
+$template FacilityLog,"/data/log/rsyslog/%hostname%/facilities/%syslogfacility-text%.log"
+$template SeverityLog,"/data/log/rsyslog/%hostname%/severities/%syslogseverity-text%.log"
+$template AppLog,"/data/log/rsyslog/%hostname%/apps/%app-name%.log"
+$template AllLog,"/data/log/rsyslog/all.log"
+
+# Use a verbose logging format
+$template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
+
+# Log by facility, severity and appname
+*.* ?FacilityLog;LogFormat
+*.* ?SeverityLog;LogFormat
+*.* ?AppLog;LogFormat
+# Log all entries in a single file, which is meant to be parsed by logcheck
+# (hence the traditional format).
+*.* ?AllLog;RSYSLOG_TraditionalFileFormat
+
+#######################
+#### Local logging ####
+#######################
+
+# Discard all log entries not locally generated. Newer versions of rsyslogd
+# have the $fromhost-ip property which can be checked against 127.0.0.1, which
+# is probably slightly more reliable, but this will work for now.
+if $fromhost != 'log' then ~
+
+# Log each facility into its own log
+auth,authpriv.* /var/log/rsyslog/auth.log
+cron.* -/var/log/rsyslog/user.log
+daemon.* -/var/log/rsyslog/daemon.log
+kern.* -/var/log/rsyslog/kern.log
+lpr.* -/var/log/rsyslog/lpr.log
+mail.* -/var/log/rsyslog/mail.log
+user.* -/var/log/rsyslog/user.log
+local0,local1,local2,\
+ local3,local4,local5,\
+ local6,local7.* -/var/log/rsyslog/local.log
+
+# Omitted facilities: syslog, news, uucp, ftp
+
+# All logs end up in syslog as weel as the corresponding facility log above
+# (except for auth, mail which only end up in the facility log for privacy
+# reasons and debug which only ends up in the debug log below to prevent
+# flooding).
+*.*;\
+ *.!=debug;\
+ auth,authpriv.none;\
+ mail.none -/var/log/rsyslog/syslog
-###############
-#### RULES ####
-###############
-
-#
-# First some standard log files. Log by facility.
-#
-auth,authpriv.* /var/log/auth.log
-*.*;auth,authpriv.none -/var/log/syslog
-#cron.* /var/log/cron.log
-daemon.* -/var/log/daemon.log
-kern.* -/var/log/kern.log
-lpr.* -/var/log/lpr.log
-mail.* -/var/log/mail.log
-user.* -/var/log/user.log
-
-#
-# Logging for the mail system. Split it up so that
-# it is easy to write scripts to parse these files.
-#
-mail.info -/var/log/mail.info
-mail.warn -/var/log/mail.warn
-mail.err /var/log/mail.err
-
-#
-# Logging for INN news system.
-#
-news.crit /var/log/news/news.crit
-news.err /var/log/news/news.err
-news.notice -/var/log/news/news.notice
-
-#
-# Some "catch-all" log files.
-#
+# Debug entries end up in debug.log as well as the corresponding facility log
+# above (except for auth and mail, which only end up in the facility logs for
+# privacy reasons).
*.=debug;\
auth,authpriv.none;\
- news.none;mail.none -/var/log/debug
-*.=info;*.=notice;*.=warn;\
- auth,authpriv.none;\
- cron,daemon.none;\
- mail,news.none -/var/log/messages
-
+ news.none;mail.none -/var/log/rsyslog/debug.log
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
-#
-# I like to have messages displayed on the console, but only on a virtual
-# console I usually leave idle.
-#
-#daemon,mail.*;\
-# news.=crit;news.=err;news.=notice;\
-# *.=debug;*.=info;\
-# *.=notice;*.=warn /dev/tty8
-
-# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
-# you must invoke `xconsole' with the `-file' option:
-#
-# $ xconsole -file /dev/xconsole [...]
-#
-# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
-# busy site..
-#
-daemon.*;mail.*;\
- news.err;\
- *.=debug;*.=info;\
- *.=notice;*.=warn |/dev/xconsole