system-configs/etc/rsyslog.conf

# VMWare: RFC5424 message format.

# Load modules.
module(load="imuxsock" sysSock.usePIDFromSystem="on")
module(load="imudp")
module(load="imtcp")
#module(load="imfile" Mode="inotify")
module(load="builtin:omfile" dirCreateMode="0755" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0644" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")

# Global configuration.
global(
  workDirectory="/var/spool/rsyslog"
  #stdlog.channelspec="on"
  maxMessageSize="16K"
  senders.keepTrack="on"
  senders.timeoutAfter="2419200"
  senders.reportGoneAway="on"
  senders.reportNew="on"
  parser.permitSlashInProgramName="on"
)


# Templates.
# For the log lines.
# The format for any version of message received is:
# <date> <short-hostname> <facility>.<severity> <msgid> <tag> <message>
# Where <msgid> may be '-' for none, and <tag> is either the message's "tag", "app-name", or '-' for none.
template(name="localLogLine" type="string" string="%timereported% %$.host% %syslogfacility-text%.%syslogseverity-text% %$.id% %$.tag%%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
template(name="centralLogLine" type="string" string="%timereported:::date-utc% %$.host% %syslogfacility-text%.%syslogseverity-text% %$.id% %$.tag%%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
# For the logfile locations.
template(name="localFile" type="string" string="/var/log/%$.logfile%")
template(name="centralFile" type="string" string="/data/logs/%$.fqdn%/%timegenerated:1:4:date-utc,date-rfc3339%/%timegenerated:6:7:date-utc,date-rfc3339%/%timegenerated:9:10:date-utc,date-rfc3339%/%$.logfile%")

# Rulesets.  Must be defined before inputs that use them.
ruleset(name="localSyslog") {
  # Use the host's lowercased FQDN.
  set $.fqdn = tolower("core.slackware.uk.net");
  # Extract the hostname part of the FQDN the message was receieved from.
  set $.host = field($.fqdn, ".", 1);
  # Hack for RFC3164 messages that do not contain a 'tag' (usually the process name and ID ending in :).
  if ($syslogtag == "") then {
    set $.tag = "-:";
  } else {
    set $.tag = $syslogtag;
  }
  # Hack for messages that do not contain a 'msgid'.
  if ($msgid == "") then {
    set $.id = "-";
  } else {
    set $.id = $msgid;
  }

  # Direct the message to the correct log(s).
  if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
  if prifilt("cron.*") then set $.logfile = "crond";
  if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $.logfile = "messages";
  if prifilt("ftp.*") then set $.logfile = "ftpd";
  if prifilt("kern.*") then set $.logfile = "kernel";
  if prifilt("lpr.*") then set $.logfile = "dehydrated";
  if prifilt("mail.*") then set $.logfile = "smtpd";
  if prifilt("news.*") then set $.logfile = "kerberos";
  if prifilt("local3.*") then set $.logfile = "named";
# FIXME: Correct logfile for samba?
  if prifilt("local4.*") then set $.logfile = "samba/samba";
  if prifilt("local5.*") then set $.logfile = "rsyncd";
  if prifilt("local6.*") then set $.logfile = "php";
  if prifilt("local7.*") then set $.logfile = "httpd";
# For next release of rsyslog:
#  set $.ret = parse_json('[]', "\$!logfiles");
#  if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
#  if prifilt("cron.*") then set $!logfiles = append_json($!logfiles, "crond");
#  if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $!logfiles = append_json($!logfiles, "messages");
#  if prifilt("ftp.*") then set $!logfiles = append_json($!logfiles, "ftpd");
#  if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
#  if prifilt("lpr.*") then set $!logfiles = append_json($!logfiles, "dehydrated");
#  if prifilt("mail.*") then set $!logfiles = append_json($!logfiles, "smtpd");
#  if prifilt("news.*") then set $!logfiles = append_json($!logfiles, "kerberos");
#  if prifilt("local3.*") then set $!logfiles = append_json($!logfiles, "named");
#  if prifilt("local4.*") then set $!logfiles = append_json($!logfiles, "samba/samba");
#  if prifilt("local5.*") then set $!logfiles = append_json($!logfiles, "rsyncd");
#  if prifilt("local6.*") then set $!logfiles = append_json($!logfiles, "php");
#  if prifilt("local7.*") then set $!logfiles = append_json($!logfiles, "httpd");
#  if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
#  if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
#  if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");

  # Write the logs.
#  foreach ($.logfile in $!logfiles) do {
    action(type="omfile" dynaFile="localFile" template="localLogLine" asyncWriting="off" flushInterval="5" ioBufferSize="64k" createDirs="on")
    action(type="omfile" dynaFile="centralFile" template="centralLogLine" asyncWriting="off" flushInterval="5" ioBufferSize="64k" createDirs="on")
#  }
}

ruleset(name="remoteSyslog") {
  # Use the incoming host's lowercased FQDN.
  set $.fqdn = tolower($fromhost);
  # Extract the hostname part of the FQDN the message was receieved from.
  set $.host = field($.fqdn, ".", 1);
  # Hack for RFC5424 messages that do not contain an app-name or procid.
  if ($app-name == "") then {
    if ($syslogtag == "") then {
      set $.tag = "-";
    } else {
      set $.tag = $syslogtag;
    }
  } else {
    if ($procid == "") then {
      set $.tag = $app-name;
    } else {
      set $.tag = $app-name & '[' & $procid & ']';
    }
  }
  # Hack for messages that do not contain a 'msgid'.
  if ($msgid == "") then {
    set $.id = "-";
  } else {
    set $.id = $msgid;
  }

  # Direct the message to the correct log(s).
  if (re_match_i($.host, '^(esx[[:alnum:]]|vcsa)$')) then {
    if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
    if prifilt("cron.*,daemon.*,ftp.*,lpr.*,news.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.*,local7.*") then set $.logfile = "messages";
    if prifilt("kern.*") then set $.logfile = "kernel";
    if prifilt("mail.*") then set $.logfile = "mail";
# For next release of rsyslog:
#    if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
#    if prifilt("cron.*,daemon.*,ftp.*,lpr.*,news.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.*,local7.*") then set $!logfiles = append_json($!logfiles, "messages");
#    if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
#    if prifilt("mail.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "mail");
#    if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
#    if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
#    if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
  } else {
    if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
    if prifilt("cron.*") then set $.logfile = "crond";
    if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $.logfile = "messages";
    if prifilt("ftp.*") then set $.logfile = "ftpd";
    if prifilt("kern.*") then set $.logfile = "kernel";
    if prifilt("lpr.*") then set $.logfile = "dehydrated";
    if prifilt("mail.*") then set $.logfile = "smtpd";
    if prifilt("news.*") then set $.logfile = "kerberos";
    if prifilt("local3.*") then set $.logfile = "named";
    if prifilt("local4.*") then set $.logfile = "samba/samba";
    if prifilt("local5.*") then set $.logfile = "rsyncd";
    if prifilt("local6.*") then set $.logfile = "php";
    if prifilt("local7.*") then set $.logfile = "httpd";
# For next release of rsyslog:
#    set $.ret = parse_json('[]', "\$!logfiles");
#    if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
#    if prifilt("cron.*") then set $!logfiles = append_json($!logfiles, "crond");
#    if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $!logfiles = append_json($!logfiles, "messages");
#    if prifilt("ftp.*") then set $!logfiles = append_json($!logfiles, "ftpd");
#    if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
#    if prifilt("lpr.*") then set $!logfiles = append_json($!logfiles, "dehydrated");
#    if prifilt("mail.*") then set $!logfiles = append_json($!logfiles, "smtpd");
#    if prifilt("news.*") then set $!logfiles = append_json($!logfiles, "kerberos");
#    if prifilt("local3.*") then set $!logfiles = append_json($!logfiles, "named");
#    if prifilt("local4.*") then set $!logfiles = append_json($!logfiles, "samba/samba");
#    if prifilt("local5.*") then set $!logfiles = append_json($!logfiles, "rsyncd");
#    if prifilt("local6.*") then set $!logfiles = append_json($!logfiles, "php");
#    if prifilt("local7.*") then set $!logfiles = append_json($!logfiles, "httpd");
#    if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
#    if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
#    if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
  }

  # Write the logs.
#  foreach ($.logfile in $!logfiles) do {
    action(type="omfile" dynaFile="centralFile" template="centralLogLine" asyncWriting="off" flushInterval="5" ioBufferSize="64k" createDirs="on")
#  }
}

# Inputs.
input(type="imuxsock" socket="/dev/log" usePIDFromSystem="on" ruleset="localSyslog")
input(type="imudp" port="25414" ruleset="remoteSyslog")
input(type="imtcp" port="25414" ruleset="remoteSyslog")

# Include additional configurations.
include(file="/etc/rsyslog.d/*.conf" mode="optional")