$ModLoad immark # provides --MARK-- message capability
$MarkMessagePeriod 900 # mark messages appear every 15 Minutes
+$ModLoad imtcp
+$InputTCPServerRun 514 # Accept TCP connections on the default syslog port
+
###########################
#### GLOBAL DIRECTIVES ####
###########################
# save in-memory data if rsyslog shuts down
$MainMsgQueueSaveOnShutdown on
+########################
+#### Remote logging ####
+########################
+
+# Log lines received from other servers (as well as our own logs) centrally.
+$template HostFacilityLog,"/data/log/rsyslog/hosts/%fromhost%/facilities/%syslogfacility-text%.log"
+$template HostSeverityLog,"/data/log/rsyslog/hosts/%fromhost%/severities/%syslogseverity-text%.log"
+$template HostAppLog,"/data/log/rsyslog/hosts/%fromhost%/apps/%app-name%.log"
+
+# Use a verbose logging format
+$template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
+
+# Log by facility, severity and appname
+*.* ?HostFacilityLog;LogFormat
+*.* ?HostSeverityLog;LogFormat
+*.* ?HostAppLog;LogFormat
+# Log all entries in a single file, which is meant to be parsed by logcheck
+# (hence the traditional format).
+*.* -/data/log/rsyslog/all.log;RSYSLOG_TraditionalFileFormat
+
+# Debugging format. Based on RSYSLOG_DebugFormat, available in later versions
+# of rsyslogd, with some variations.
+$template DebugFormat,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%', syslogtag: '%syslogtag%'\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
+# Uncomment this to have detailed logging for debugging
+#*.* -/data/log/rsyslog/debug.log;DebugFormat
+
#######################
#### Local logging ####
#######################
-#
+# Discard all log entries not locally generated (note that the ~ here is the
+# "discard" action, preventing the rules below from bein ran on these messages.
+if $fromhost-ip != '127.0.0.1' then ~
+
+
# Log each facility into its own log
auth,authpriv.* /var/log/rsyslog/auth.log
cron.* -/var/log/rsyslog/user.log