i configured rsyslog to store remote logs coming in under a custom directory: /var/log/fleet. The Logs created in the hostname and programm derived directories are created where intended, but the syslog of each remote host.
Unintended behavior is that all remote logs from all hosts go to one file under: /var/log/fleet/syslog.
Following configs are used:
/etc/rsyslog.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
/etc/rsyslog.d/60-fleet.conf:
$template RemoteLogs,"/var/log/fleet/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1") then ?RemoteLogs
& ~
/etc/rsyslog.d/50-default.conf
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
mail.err /var/log/mail.err
# Emergencies are sent to everybody logged in.
*.emerg :omusrmsg:*
How is that?
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
