From 44b93b9422e5336a3757d254fdfd0c379fd87edf Mon Sep 17 00:00:00 2001
From: Darren 'Tadgy' Austin <darren@afterdark.org.uk>
Date: Mon, 30 Mar 2026 14:55:19 +0000
Subject: [PATCH] Update logfile configurations.

---
 .gitattributesdb                         |  62 ++++--
 etc/dehydrated/hooks/default             |   2 +-
 etc/krb5.conf                            |   2 +-
 etc/logrotate.conf                       |  25 +++
 etc/logrotate.d/alternatives             |   4 +
 etc/logrotate.d/apache2                  |   1 +
 etc/logrotate.d/apt                      |  15 ++
 etc/logrotate.d/btmp                     |   3 +
 etc/logrotate.d/dpkg                     |   4 +
 etc/logrotate.d/php8.4-fpm               |   1 +
 etc/logrotate.d/prometheus               |   5 +
 etc/logrotate.d/prometheus-alertmanager  |   5 +
 etc/logrotate.d/prometheus-node-exporter |   5 +
 etc/logrotate.d/rsyslog                  |   9 +
 etc/logrotate.d/wtmp                     |   4 +
 etc/logrotate.d/wtmpdb                   |   4 +
 etc/rsyslog.conf                         | 263 +++++++++++++----------
 17 files changed, 287 insertions(+), 127 deletions(-)
 create mode 100644 etc/logrotate.conf
 create mode 100644 etc/logrotate.d/alternatives
 create mode 100644 etc/logrotate.d/apache2
 create mode 100644 etc/logrotate.d/apt
 create mode 100644 etc/logrotate.d/btmp
 create mode 100644 etc/logrotate.d/dpkg
 create mode 100644 etc/logrotate.d/php8.4-fpm
 create mode 100644 etc/logrotate.d/prometheus
 create mode 100644 etc/logrotate.d/prometheus-alertmanager
 create mode 100644 etc/logrotate.d/prometheus-node-exporter
 create mode 100644 etc/logrotate.d/rsyslog
 create mode 100644 etc/logrotate.d/wtmp
 create mode 100644 etc/logrotate.d/wtmpdb

diff --git a/.gitattributesdb b/.gitattributesdb
index 1d4c025..cc3626e 100644
--- a/.gitattributesdb
+++ b/.gitattributesdb
@@ -341,6 +341,44 @@ ZXRjL2xkYXAvc2NoZW1hL3JmYzIzMDdiaXMuc2NoZW1h 1759835660.000000000 1759835660.000
 ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
 ZXRjL2xvZ2luLmRlZnM= 1771509215.801996599 1745058028.000000000 root:root 0644 - -
 ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+ZXRjL2xvZ3JvdGF0ZS5jb25m 1774126916.834604932 1773949445.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL2FsdGVybmF0aXZlcw== 1774879964.524246639 1736567071.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL2FwYWNoZTI= 1774879843.654206932 1771512073.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL2FwdA== 1774880481.903855753 1753012285.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL2J0bXA= 1774880027.579223999 1773949445.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL2Rwa2c= 1774880076.286434085 1736567071.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3BocDguNC1mcG0= 1774880108.513911418 1771512192.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3Byb21ldGhldXM= 1774880202.364389342 1773502158.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3Byb21ldGhldXMtYWxlcnRtYW5hZ2Vy 1774880211.284244673 1773502158.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3Byb21ldGhldXMtbm9kZS1leHBvcnRlcg== 1774880189.240602186 1771512342.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3JzeXNsb2c= 1774880765.223259890 1771512334.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3d0bXA= 1774880296.026870307 1773949445.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
+bG9ncm90YXRlLmQ=  - -
+ZXRjL2xvZ3JvdGF0ZS5kL3d0bXBkYg== 1774880340.794144279 1771511324.000000000 root:root 0644 - -
+ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
 ZXRjL21vdGQ= 1774109784.320927406 1756052400.000000000 root:root 0644 - -
 ZXRj 1774881279.806906802 1771501908.000000000 root:root 0755 - -
 ZXRjL21zbXRwLWFsaWFzZXM= 1758035451.000000000 1758035451.000000000 root:root 0644 - -
@@ -540,36 +578,36 @@ b3B0L3NiaW4vcHVzaG92ZXItY2xpZW50 1758224526.000000000 1758224526.000000000 root:
 b3B0 1771515169.961748163 1771501851.000000000 root:root 0755 - -
 c2Jpbg== 1767688090.000000000 1767688090.000000000 root:root 0777 - -
 b3B0L3NiaW4vdGVycmFmb3JtLWh0dHAtYmFja2VuZA== 1757590543.000000000 1757590543.000000000 root:root 0755 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 cm9vdC8uYmFzaF9sb2dvdXQ= 1757582867.000000000 1757582867.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 cm9vdC8uYmFzaF9wcm9maWxl 1757584711.000000000 1757584711.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 cm9vdC8uYmFzaHJj 1758887027.000000000 1757586493.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 cm9vdC8uZ2l0Y29uZmln 1757582738.000000000 1757582738.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 cm9vdC8uZ2l0aWdub3Jl 1774104492.728356672 1757600312.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 LmxvY2Fs  - -
 c2hhcmU=  - -
 bmFubw==  - -
 cm9vdC8ubG9jYWwvc2hhcmUvbmFuby8uZ2l0aWdub3Jl 1757586210.000000000 1757586210.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 cm9vdC8ubmFub3Jj 1757585756.000000000 1757585756.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 LnNzaA==  - -
 cm9vdC8uc3NoLy5naXRpZ25vcmU= 1757593349.000000000 1757593349.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 LnNzaA==  - -
 cm9vdC8uc3NoL2F1dGhvcml6ZWRfa2V5cw== 1757587611.000000000 1757587611.000000000 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 c3R1ZmYtdG8ta2VlcA==  - -
 cm9vdC9zdHVmZi10by1rZWVwL2NsZWFuLWZk 1758994151.000000000 1758992264.000000000 root:root 0755 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 c3R1ZmYtdG8ta2VlcA==  - -
 cm9vdC9zdHVmZi10by1rZWVwL2R1bW15LWRlZmF1bHQtbXRh 1762020478.278412865 1762020215.034844513 root:root 0644 - -
-cm9vdA== 1774880600.237936610 1771512801.616005200 root:root 0755 - -
+cm9vdA== 1774882471.247517956 1771512801.616005200 root:root 0755 - -
 c3R1ZmYtdG8ta2VlcA==  - -
 cm9vdC9zdHVmZi10by1rZWVwL2R1bW15LWRlZmF1bHQtbXRhXzAuMC4xX2FsbC5kZWI= 1762020499.466056182 1762020499.458056317 root:root 0644 - -
 dXNy 1774107718.754827355 1771501851.000000000 root:root 0755 - -
diff --git a/etc/dehydrated/hooks/default b/etc/dehydrated/hooks/default
index b28b4b2..80a8479 100755
--- a/etc/dehydrated/hooks/default
+++ b/etc/dehydrated/hooks/default
@@ -8,7 +8,7 @@
 # Where the copies of the current certificates/keys should be placed.  Comment for no copying.
 CERTSDIR="/etc/certificates"
 # The syslog facility and tag to use.  Comment for no sysloging.
-SYSLOG_FACILITY="local1"
+SYSLOG_FACILITY="lpr"
 SYSLOG_TAG="dehydrated-hooks"
 # Where from/to to send emails.  Comment for no emailing.
 EMAIL_FROM="\"Server: ${HOSTNAME%%.*}\" <noreply@slackware.uk.net>"
diff --git a/etc/krb5.conf b/etc/krb5.conf
index 02bdc9f..26cfaf3 100644
--- a/etc/krb5.conf
+++ b/etc/krb5.conf
@@ -1,5 +1,5 @@
 [logging]
-default = SYSLOG:WARNING:local2
+default = SYSLOG:WARNING:news
 
 [libdefaults]
 ccache_type = 4
diff --git a/etc/logrotate.conf b/etc/logrotate.conf
new file mode 100644
index 0000000..82c7160
--- /dev/null
+++ b/etc/logrotate.conf
@@ -0,0 +1,25 @@
+# Rotate log files on a monthly basis.
+monthly
+
+# Name files based upon the year/month they are rotated.
+dateext
+dateformat -%Y-%m
+dateyesterday
+
+# Compress rotated logs.
+compress
+
+# Keep 5 years of old logs (just to be sure).
+rotate 60
+
+# Move rotated logs to this directory.
+olddir /var/log/Archived
+
+# After rotating, create new (empty) files with the same owner/perms.
+create
+
+# E-mail logs which are about to be deleted to this address.
+mail sysadmin@slackware.uk
+
+# Read log specific configurations.
+include /etc/logrotate.d
diff --git a/etc/logrotate.d/alternatives b/etc/logrotate.d/alternatives
new file mode 100644
index 0000000..0a428cc
--- /dev/null
+++ b/etc/logrotate.d/alternatives
@@ -0,0 +1,4 @@
+/var/log/alternatives.log {
+  missingok
+  notifempty
+}
diff --git a/etc/logrotate.d/apache2 b/etc/logrotate.d/apache2
new file mode 100644
index 0000000..e965af8
--- /dev/null
+++ b/etc/logrotate.d/apache2
@@ -0,0 +1 @@
+# This file is intentionally empty to prevent new packages re-creating the original content.
diff --git a/etc/logrotate.d/apt b/etc/logrotate.d/apt
new file mode 100644
index 0000000..2b87a5a
--- /dev/null
+++ b/etc/logrotate.d/apt
@@ -0,0 +1,15 @@
+/var/log/apt/eipp.log.xz {
+  missingok
+  nocompress
+  notifempty
+}
+
+/var/log/apt/term.log {
+  missingok
+  notifempty
+}
+
+/var/log/apt/history.log {
+  missingok
+  notifempty
+}
diff --git a/etc/logrotate.d/btmp b/etc/logrotate.d/btmp
new file mode 100644
index 0000000..9d46cf8
--- /dev/null
+++ b/etc/logrotate.d/btmp
@@ -0,0 +1,3 @@
+/var/log/btmp {
+  missingok
+}
diff --git a/etc/logrotate.d/dpkg b/etc/logrotate.d/dpkg
new file mode 100644
index 0000000..686d337
--- /dev/null
+++ b/etc/logrotate.d/dpkg
@@ -0,0 +1,4 @@
+/var/log/dpkg.log {
+  missingok
+  notifempty
+}
diff --git a/etc/logrotate.d/php8.4-fpm b/etc/logrotate.d/php8.4-fpm
new file mode 100644
index 0000000..e965af8
--- /dev/null
+++ b/etc/logrotate.d/php8.4-fpm
@@ -0,0 +1 @@
+# This file is intentionally empty to prevent new packages re-creating the original content.
diff --git a/etc/logrotate.d/prometheus b/etc/logrotate.d/prometheus
new file mode 100644
index 0000000..7377e74
--- /dev/null
+++ b/etc/logrotate.d/prometheus
@@ -0,0 +1,5 @@
+/var/log/prometheus/prometheus.log {
+  copytruncate
+  notifempty
+  missingok
+}
diff --git a/etc/logrotate.d/prometheus-alertmanager b/etc/logrotate.d/prometheus-alertmanager
new file mode 100644
index 0000000..613967b
--- /dev/null
+++ b/etc/logrotate.d/prometheus-alertmanager
@@ -0,0 +1,5 @@
+/var/log/prometheus/prometheus-alertmanager.log {
+  copytruncate
+  notifempty
+  missingok
+}
diff --git a/etc/logrotate.d/prometheus-node-exporter b/etc/logrotate.d/prometheus-node-exporter
new file mode 100644
index 0000000..5deb25a
--- /dev/null
+++ b/etc/logrotate.d/prometheus-node-exporter
@@ -0,0 +1,5 @@
+/var/log/prometheus/prometheus-node-exporter.log {
+  copytruncate
+  notifempty
+  missingok
+}
diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog
new file mode 100644
index 0000000..4867f5e
--- /dev/null
+++ b/etc/logrotate.d/rsyslog
@@ -0,0 +1,9 @@
+/var/log/auth /var/log/crond /var/log/messages /var/log/ftpd /var/log/kernel /var/log/dehydrated /var/log/smtpd /var/log/kerberos /var/log/named /var/log/samba/samba /var/log/rsyncd /var/log/php /var/log/httpd /var/log/ERROR /var/log/EMERG /var/log/DEBUG {
+{
+  missingok
+  notifempty
+  sharedscripts
+  postrotate
+    /usr/lib/rsyslog/rsyslog-rotate
+  endscript
+}
diff --git a/etc/logrotate.d/wtmp b/etc/logrotate.d/wtmp
new file mode 100644
index 0000000..32ddf3d
--- /dev/null
+++ b/etc/logrotate.d/wtmp
@@ -0,0 +1,4 @@
+/var/log/wtmp {
+  notifempty
+  missingok
+}
diff --git a/etc/logrotate.d/wtmpdb b/etc/logrotate.d/wtmpdb
new file mode 100644
index 0000000..1f92bf6
--- /dev/null
+++ b/etc/logrotate.d/wtmpdb
@@ -0,0 +1,4 @@
+/var/log/wtmp.db {
+  notifempty
+  missingok
+}
diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf
index e3caae5..0f911b2 100644
--- a/etc/rsyslog.conf
+++ b/etc/rsyslog.conf
@@ -1,143 +1,180 @@
+# VMWare: RFC5424 message format.
+
 # Load modules.
+module(load="imuxsock" sysSock.usePIDFromSystem="on")
 module(load="imudp")
 module(load="imtcp")
-module(load="builtin:omfile" dirCreateMode="0750" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0640" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")
-
+module(load="imfile" Mode="inotify")
+module(load="builtin:omfile" dirCreateMode="0755" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0644" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")
 
 # Global configuration.
 global(
-  workDirectory="/var/lib/rsyslog"
+  workDirectory="/var/spool/rsyslog"
   #stdlog.channelspec="on"
   maxMessageSize="16K"
   senders.keepTrack="on"
   senders.timeoutAfter="2419200"
   senders.reportGoneAway="on"
   senders.reportNew="on"
+  parser.permitSlashInProgramName="on"
 )
 
 
-# Inputs.
-input(type="imudp" port="25414" ruleset="syslog")
-input(type="imudp" port="25415" ruleset="httplog")
-input(type="imtcp" port="25414" ruleset="syslog")
+# Templates.
+# For the log lines.
+# The format for any version of message received is:
+# <date> <short-hostname> <facility>.<severity> <msgid> <tag> <message>
+# Where <msgid> may be '-' for none, and <tag> is either the message's "tag", "app-name", or '-' for none.
+template(name="localLogLine" type="string" string="%timereported% %$.host% %syslogfacility-text%.%syslogseverity-text% %$.id% %$.tag%%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
+template(name="centralLogLine" type="string" string="%timereported:::date-utc% %$.host% %syslogfacility-text%.%syslogseverity-text% %$.id% %$.tag%%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
+# For the logfile locations.
+template(name="localFile" type="string" string="/var/log/%$.logfile%")
+template(name="centralFile" type="string" string="/data/logs/%$.fqdn%/%timegenerated:1:4:date-utc,date-rfc3339%/%timegenerated:6:7:date-utc,date-rfc3339%/%timegenerated:9:10:date-utc,date-rfc3339%/%$.logfile%")
 
-
-# Rulesets.
-ruleset(name="syslog") {
-  set $.host = tolower(field($hostname, ".", 1));
-  set $.domain = tolower(re_extract($hostname, '[^.]+\\.(.*)', 0, 1, "unknown_domain"));
-  if ($app-name != "") then {
-    set $.proc = $app-name;
-    if ($procid != "" and $procid != "-") then {
-      set $.proc = '[' & $procid & ']';
-    }
+# Rulesets.  Must be defined before inputs that use them.
+ruleset(name="localSyslog") {
+  # Use the host's lowercased FQDN.
+  set $.fqdn = tolower("core.slackware.uk.net");
+  # Extract the hostname part of the FQDN the message was receieved from.
+  set $.host = field($.fqdn, ".", 1);
+  # Hack for RFC3164 messages that do not contain a 'tag' (usually the process name and ID ending in :).
+  if ($syslogtag == "") then {
+    set $.tag = "-:";
   } else {
-    set $.proc = '-';
+    set $.tag = $syslogtag;
   }
-  if ($msgid != "") then {
+  # Hack for messages that do not contain a 'msgid'.
+  if ($msgid == "") then {
+    set $.id = "-";
+  } else {
     set $.id = $msgid;
-  } else {
-    set $.id = '-';
   }
 
-  template(name="LogLineSingleHost" type="string" string="%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
-  template(name="LogLineAllHosts" type="string" string="%timereported:::date-utc,date-rfc3339% %hostname% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
+  # Direct the message to the correct log(s).
+  if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
+  if prifilt("cron.*") then set $.logfile = "crond";
+  if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $.logfile = "messages";
+  if prifilt("ftp.*") then set $.logfile = "ftpd";
+  if prifilt("kern.*") then set $.logfile = "kernel";
+  if prifilt("lpr.*") then set $.logfile = "dehydrated";
+  if prifilt("mail.*") then set $.logfile = "smtpd";
+  if prifilt("news.*") then set $.logfile = "kerberos";
+  if prifilt("local3.*") then set $.logfile = "named";
+# FIXME: Correct logfile for samba?
+  if prifilt("local4.*") then set $.logfile = "samba/samba";
+  if prifilt("local5.*") then set $.logfile = "rsyncd";
+  if prifilt("local6.*") then set $.logfile = "php";
+  if prifilt("local7.*") then set $.logfile = "httpd";
+# For next release of rsyslog:
+#  set $.ret = parse_json('[]', "\$!logfiles");
+#  if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
+#  if prifilt("cron.*") then set $!logfiles = append_json($!logfiles, "crond");
+#  if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $!logfiles = append_json($!logfiles, "messages");
+#  if prifilt("ftp.*") then set $!logfiles = append_json($!logfiles, "ftpd");
+#  if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
+#  if prifilt("lpr.*") then set $!logfiles = append_json($!logfiles, "dehydrated");
+#  if prifilt("mail.*") then set $!logfiles = append_json($!logfiles, "smtpd");
+#  if prifilt("news.*") then set $!logfiles = append_json($!logfiles, "kerberos");
+#  if prifilt("local3.*") then set $!logfiles = append_json($!logfiles, "named");
+#  if prifilt("local4.*") then set $!logfiles = append_json($!logfiles, "samba/samba");
+#  if prifilt("local5.*") then set $!logfiles = append_json($!logfiles, "rsyncd");
+#  if prifilt("local6.*") then set $!logfiles = append_json($!logfiles, "php");
+#  if prifilt("local7.*") then set $!logfiles = append_json($!logfiles, "httpd");
+#  if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
+#  if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
+#  if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
 
-# FIXME: Log each facility to the AllHosts logs.  Compression?
-  if prifilt("auth.*,authpriv.*") then {
-    action(type="omfile" file="/tmp/log/AllHosts/auth" template="LogLineAllHosts" zipLevel="6" asyncWriting="on" flushInterval="5" ioBufferSize="64k" )
-  } else if ... then {
-
-
-
-  template(name="LogFileeSingleHost" type="string" string="/tmp/logs/%$.host%/
-%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
-
-
-
-    if prifilt("*.info") then {
-        action(type="omfile" file="/var/log/info.log")
-    }
+  # Write the logs.
+#  foreach ($.logfile in $!logfiles) do {
+    action(type="omfile" dynaFile="localFile" template="localLogLine" asyncWriting="on" flushInterval="5" ioBufferSize="64k" createDirs="on")
+    action(type="omfile" dynaFile="centralFile" template="centralLogLine" asyncWriting="on" flushInterval="5" ioBufferSize="64k" createDirs="on")
+#  }
 }
 
+ruleset(name="remoteSyslog") {
+  # Use the incoming host's lowercased FQDN.
+  set $.fqdn = tolower($fromhost);
+  # Extract the hostname part of the FQDN the message was receieved from.
+  set $.host = field($.fqdn, ".", 1);
+  # Hack for RFC5424 messages that do not contain an app-name or procid.
+  if ($app-name == "") then {
+    if ($syslogtag == "") then {
+      set $.tag = "-";
+    } else {
+      set $.tag = $syslogtag;
+    }
+  } else {
+    if ($procid == "") then {
+      set $.tag = $app-name;
+    } else {
+      set $.tag = $app-name & '[' & $procid & ']';
+    }
+  }
+  # Hack for messages that do not contain a 'msgid'.
+  if ($msgid == "") then {
+    set $.id = "-";
+  } else {
+    set $.id = $msgid;
+  }
 
+  # Direct the message to the correct log(s).
+  if (re_match_i($.host, '^(esx[[:alnum:]]|vcsa)$')) then {
+    if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
+    if prifilt("cron.*,daemon.*,ftp.*,lpr.*,news.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.*,local7.*") then set $.logfile = "messages";
+    if prifilt("kern.*") then set $.logfile = "kernel";
+    if prifilt("mail.*") then set $.logfile = "mail";
+# For next release of rsyslog:
+#    if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
+#    if prifilt("cron.*,daemon.*,ftp.*,lpr.*,news.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.*,local7.*") then set $!logfiles = append_json($!logfiles, "messages");
+#    if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
+#    if prifilt("mail.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "mail");
+#    if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
+#    if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
+#    if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
+  } else {
+    if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
+    if prifilt("cron.*") then set $.logfile = "crond";
+    if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $.logfile = "messages";
+    if prifilt("ftp.*") then set $.logfile = "ftpd";
+    if prifilt("kern.*") then set $.logfile = "kernel";
+    if prifilt("lpr.*") then set $.logfile = "dehydrated";
+    if prifilt("mail.*") then set $.logfile = "smtpd";
+    if prifilt("news.*") then set $.logfile = "kerberos";
+    if prifilt("local3.*") then set $.logfile = "named";
+    if prifilt("local4.*") then set $.logfile = "samba/samba";
+    if prifilt("local5.*") then set $.logfile = "rsyncd";
+    if prifilt("local6.*") then set $.logfile = "php";
+    if prifilt("local7.*") then set $.logfile = "httpd";
+# For next release of rsyslog:
+#    set $.ret = parse_json('[]', "\$!logfiles");
+#    if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
+#    if prifilt("cron.*") then set $!logfiles = append_json($!logfiles, "crond");
+#    if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $!logfiles = append_json($!logfiles, "messages");
+#    if prifilt("ftp.*") then set $!logfiles = append_json($!logfiles, "ftpd");
+#    if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
+#    if prifilt("lpr.*") then set $!logfiles = append_json($!logfiles, "dehydrated");
+#    if prifilt("mail.*") then set $!logfiles = append_json($!logfiles, "smtpd");
+#    if prifilt("news.*") then set $!logfiles = append_json($!logfiles, "kerberos");
+#    if prifilt("local3.*") then set $!logfiles = append_json($!logfiles, "named");
+#    if prifilt("local4.*") then set $!logfiles = append_json($!logfiles, "samba/samba");
+#    if prifilt("local5.*") then set $!logfiles = append_json($!logfiles, "rsyncd");
+#    if prifilt("local6.*") then set $!logfiles = append_json($!logfiles, "php");
+#    if prifilt("local7.*") then set $!logfiles = append_json($!logfiles, "httpd");
+#    if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
+#    if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
+#    if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
+  }
 
+  # Write the logs.
+#  foreach ($.logfile in $!logfiles) do {
+    action(type="omfile" dynaFile="centralFile" template="centralLogLine" asyncWriting="on" flushInterval="5" ioBufferSize="64k" createDirs="on")
+#  }
+}
 
-#template(name="SyslogLineFormat" type="list") {
-#  property(name="timereported" dateFormat="rfc3339" caseConversion="lower")		# Timestamp yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
-#  constant(value=" ")
-#  property(name="hostname")								# Hostname
-#  constant(value=" ")
-#  property(name="syslogfacility")							# Facility
-#  constant(value=".")
-#  property(name="syslogpriority")							# Log priority
-#  constant(value=" ")
-#  property(name="syslogtag")								# Syslog tag
-#  constant(value=": ")
-#  property(name="msg")									# Message content
-#  constant(value="\n")
-#}
-
-
-
-
-#template(name="LogHostFile" type="string" string="/mnt/Data/logs/%HOSTNAME:::escape-cc,secpath-replace%/
-#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
-# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
-
-#template(name="LogAllHostsFile" type="string" string="/mnt/Data/logs/AllHosts/
-#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
-# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
-
-
-
-
-#VMWare: RFC 5424
-
-
-
-# Parser.
-#parser(
-#  name="FIXME"
-#  type="pmnormalize"
-#  rule=[
-#    "rule=:<%pri:number%> %fromhost-ip:ipv4% %hostname:word% %syslogtag:char-to:\\x3a%: %msg:rest%",
-#    "rule=:<%pri:number%> %hostname:word% %fromhost-ip:ipv4% %syslogtag:char-to:\\x3a%: %msg:rest%"
-#  ]
-#)
-
-
-# Rules
-#ruleset(name="outp" parser="custom.pmnormalize") {
-#   action(type="omfile" File="/tmp/output")
-#}
-
-
-# Outputs.
-action(type="omfile" file="/tmp/messages" template="LogLineSingleHost")
-
-
+# Inputs.
+input(type="imuxsock" socket="/dev/log" usePIDFromSystem="on" ruleset="localSyslog")
+input(type="imudp" port="25414" ruleset="remoteSyslog")
+input(type="imtcp" port="25414" ruleset="remoteSyslog")
 
 # Include additional configurations.
 include(file="/etc/rsyslog.d/*.conf" mode="optional")
-
-
-
-
-### Examples ####
-
-# Send all logs to remote syslog via UDP.
-# An on-disk queue is created for this action. If the remote host is
-# down, messages are spooled to disk and sent when it is up again.
-#*.* action(
-#	type="omfwd"
-#	target="192.168.0.1"
-#	port="514"
-#	protocol="udp"
-#	queue.filename="fwdRule1"  # unique name prefix for spool files
-#	queue.type="LinkedList"
-#	queue.maxDiskSpace="256m"
-#	queue.saveOnShutdown="on"
-#	action.resumeRetryCount="-1"
-#	action.resumeInterval="30"
-#)