Still in-progress.. I'll clean the code up eventually... this was pasted from my notes in a JIRA ticket.

I started setting up rsyslog on *** yesterday to act as a centralized syslog server.
I'm happy with the results so far.. basically I took what I had on *** and simplified/split out the configs.

{panel:title=/etc/rsyslog.conf}
{code:bash}# rsyslog v5 configuration file

# THE RSYSLOG FILES ARE UNDER RCS CONTROL

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

###
### MODULES
###

$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imfile # provides support for log tagging

### GLOBAL DIRECTIVES
###(some are specified at the end of the file)
#Try to keep FQDNs
$PreserveFQDN on

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Everything is read in order starting with files in /etc/rsyslog.d
# 00-remote-ruleset, starts the remote rule set and any files after that will be treated under that until the local rulset is sta
rted below.
# 00-templates.conf, loads templates that the remote ruleset uses for file destinations/formatting
# 50-barracuda.conf, catches syslogs coming in from DF barracuda's
# 50-network.conf, catches syslogs coming in from DF network devices
# 99-rsyslog-remote.conf, default catch all for incoming remote syslogs.

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

###
### TEMPLATES: /etc/rsyslog.d/00-templates.conf
### This file contains templates that can be used by any ruleset
###

### Remote: /etc/rsyslog.d/99-rsyslog-remote.conf
### This file contains the rules to set rsyslog up for
### receiving syslogs from remote hosts by default.

###
### Local Ruleset
### This is basically the standard rsyslog.conf for local logging
###

$RuleSet local
kern.* /dev/console
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.info,mail.none,authpriv.none,cron.none /var/log/messages

$DefaultRuleset local
{code}
{panel}
{panel:title=/etc/rsyslog.d/00-remote-ruleset.conf}
{code:bash}# Files in /etc/rsyslog.d will hit the remote ruleset.
$RuleSet remote

$EscapeControlCharactersOnReceive off
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/00-templates.conf}
{code:bash}###
### TEMPLATES
###

# If we set up a machine to send *.* to us, then messages it sends
# will be caught by one of these templates.

$template TmplMsg,"/logs/servers/%HOSTNAME%/messages.log"
$template TmplGC,"/logs/servers/%HOSTNAME%/newslog.log"
$template TmplAuth,"/logs/servers/%HOSTNAME%/auth.log"
$template TmplMail,"/logs/servers/%HOSTNAME%/mail.log"
$template TmplCron,"/logs/servers/%HOSTNAME%/cron.log"
$template TmplKernel,"/logs/servers/%HOSTNAME%/console.log"
$template TmplEmergency,"/log/servers/%HOSTNAME%/emergency.log"

$template TmplNetwork,"/logs/network/%FROMHOST%"
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/50-barracuda.conf}
{code:bash}$umask 0000
$FileCreateMode 0644
$FileOwner root
$FileGroup root

if $fromhost startswith 'barracuda' and $fromhost contains 'example.com' then /logs/mail/barracuda.log
& ~
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/50-network.conf}
{code:bash}# Catching incoming Networking syslog messages
* I probably want to expand this template more...
local0.info ?TmplNetwork
& ~
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/99-rsyslog-remote.conf}
{code:bash}$umask 0000
$FileCreateMode 0644
$FileOwner root
$FileGroup root

# Standard syslog messages that will log out to separate files based
# on the template.

kern.* ?TmplKernel
*.emerg ?TmplEmergency
authpriv.* ?TmplAuth
mail.* ?TmplMail
cron.* ?TmplCron
*.info,mail.none,authpriv.none,cron.none ?TmplMsg

###
### Remote listeners (told to use the remote ruleset)
###

# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
$InputUDPServerBindRuleset remote
# and activate it:
$InputTCPServerRun 514
$UDPServerRun 514
{code}
{panel}

I also created a logrotate file to rotate the files daily so we don't run in to an issue with space.
{panel name=/etc/logrotate.d/rsyslog-centralized}
{code:bash}/logs/servers/*/*
/logs/network/*
/logs/mail/*
{
daily
rotate 30
compress
olddir OLD
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
{code}
{panel}

Still in-progress.. I'll clean the code up eventually... this was pasted from my notes in a JIRA ticket.

I started setting up rsyslog on *** yesterday to act as a centralized syslog server.
I'm happy with the results so far.. basically I took what I had on *** and simplified/split out the configs.

{panel:title=/etc/rsyslog.conf}
{code:bash}# rsyslog v5 configuration file

# THE RSYSLOG FILES ARE UNDER RCS CONTROL

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

###
### MODULES
###

$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imfile # provides support for log tagging

### GLOBAL DIRECTIVES
###(some are specified at the end of the file)
#Try to keep FQDNs
$PreserveFQDN on

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Everything is read in order starting with files in /etc/rsyslog.d
# 00-remote-ruleset, starts the remote rule set and any files after that will be treated under that until the local rulset is sta
rted below.
# 00-templates.conf, loads templates that the remote ruleset uses for file destinations/formatting
# 50-barracuda.conf, catches syslogs coming in from DF barracuda's
# 50-network.conf, catches syslogs coming in from DF network devices
# 99-rsyslog-remote.conf, default catch all for incoming remote syslogs.

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

###
### TEMPLATES: /etc/rsyslog.d/00-templates.conf
### This file contains templates that can be used by any ruleset
###

### Remote: /etc/rsyslog.d/99-rsyslog-remote.conf
### This file contains the rules to set rsyslog up for
### receiving syslogs from remote hosts by default.

###
### Local Ruleset
### This is basically the standard rsyslog.conf for local logging
###

$RuleSet local
kern.* /dev/console
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.info,mail.none,authpriv.none,cron.none /var/log/messages

$DefaultRuleset local
{code}
{panel}
{panel:title=/etc/rsyslog.d/00-remote-ruleset.conf}
{code:bash}# Files in /etc/rsyslog.d will hit the remote ruleset.
$RuleSet remote

$EscapeControlCharactersOnReceive off
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/00-templates.conf}
{code:bash}###
### TEMPLATES
###

# If we set up a machine to send *.* to us, then messages it sends
# will be caught by one of these templates.

$template TmplMsg,"/logs/servers/%HOSTNAME%/messages.log"
$template TmplGC,"/logs/servers/%HOSTNAME%/newslog.log"
$template TmplAuth,"/logs/servers/%HOSTNAME%/auth.log"
$template TmplMail,"/logs/servers/%HOSTNAME%/mail.log"
$template TmplCron,"/logs/servers/%HOSTNAME%/cron.log"
$template TmplKernel,"/logs/servers/%HOSTNAME%/console.log"
$template TmplEmergency,"/log/servers/%HOSTNAME%/emergency.log"

$template TmplNetwork,"/logs/network/%FROMHOST%"
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/50-barracuda.conf}
{code:bash}$umask 0000
$FileCreateMode 0644
$FileOwner root
$FileGroup root

if $fromhost startswith 'barracuda' and $fromhost contains 'example.com' then /logs/mail/barracuda.log
& ~
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/50-network.conf}
{code:bash}# Catching incoming Networking syslog messages
* I probably want to expand this template more...
local0.info ?TmplNetwork
& ~
{code}
{panel}

{panel}
{panel:title=/etc/rsyslog.d/99-rsyslog-remote.conf}
{code:bash}$umask 0000
$FileCreateMode 0644
$FileOwner root
$FileGroup root

# Standard syslog messages that will log out to separate files based
# on the template.

kern.* ?TmplKernel
*.emerg ?TmplEmergency
authpriv.* ?TmplAuth
mail.* ?TmplMail
cron.* ?TmplCron
*.info,mail.none,authpriv.none,cron.none ?TmplMsg

###
### Remote listeners (told to use the remote ruleset)
###

# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
$InputUDPServerBindRuleset remote
# and activate it:
$InputTCPServerRun 514
$UDPServerRun 514
{code}
{panel}

I also created a logrotate file to rotate the files daily so we don't run in to an issue with space.
{panel name=/etc/logrotate.d/rsyslog-centralized}
{code:bash}/logs/servers/*/*
/logs/network/*
/logs/mail/*
{
daily
rotate 30
compress
olddir OLD
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
{code}
{panel}