manchot0/gist:50bf257bf893c91c6c009bea5caf96e9

## gistfile1.txt
#template to construct the path where to save the logs received
#/srv/log/192.168.xx.xx/year-month/day/$.logpath
#$.logpath is set in the "RemoteLogProcess" ruleset
template(name="RemoteLogSavePath" type="list") {
    constant(value="/srv/log/")
    property(name="fromhost-ip")
    constant(value="/")
    property(name="timegenerated" dateFormat="year")
    constant(value="-")
    property(name="timegenerated" dateFormat="month")
    constant(value="/")
    property(name="timegenerated" dateFormat="day")
    constant(value="/")
    property(name="$.logpath" )
}

# Template to output only message
template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")

#load the module to receive udp logs
module(load="imudp")
#receive udp logs on port yyyyy
input(type="imudp" port="yyyyy" address="192.168.xx.xx" ruleset="RemoteLogProcess")

#load the module to write received logs to files
module(load="builtin:omfile" FileOwner="syslog" FileGroup="adm" dirOwner="syslog" dirGroup="adm" FileCreateMode="0640" DirCreateMode="0755")

ruleset(name="RemoteLogProcess") {
    # For facilities local0-7 set log filename from $programname field: replace __ with /
    # Message has arbitary format, syslog fields are not used
    if ( $syslogfacility >= 16 ) then
    {
        set $.logpath = replace($programname, "__", "/");
        action(type="omfile" dynaFileCacheSize="1024" dynaFile="RemoteLogSavePath" template="OnlyMsg"
        flushOnTXEnd="off" asyncWriting="on" flushInterval="1" ioBufferSize="64k")

    # Logs with filename defined from facility
    # Message has syslog format, syslog fields are used
    } else {
        if (($syslogfacility == 0)) then {
            set $.logpath = "kern";
        } else if (($syslogfacility == 4) or ($syslogfacility == 10)) then {
            set $.logpath = "auth";
        } else if (($syslogfacility == 9) or ($syslogfacility == 15)) then {
            set $.logpath = "cron";
        } else {
            set $.logpath ="syslog";
        }
        # Built-in template RSYSLOG_FileFormat: High-precision timestamps and timezone information
        action(type="omfile" dynaFileCacheSize="1024" dynaFile="RemoteLogSavePath" template="RSYSLOG_FileFormat"
        flushOnTXEnd="off" asyncWriting="on" flushInterval="1" ioBufferSize="64k")
    }
}
	#template to construct the path where to save the logs received
	#/srv/log/192.168.xx.xx/year-month/day/$.logpath
	#$.logpath is set in the "RemoteLogProcess" ruleset
	template(name="RemoteLogSavePath" type="list") {
	constant(value="/srv/log/")
	property(name="fromhost-ip")
	constant(value="/")
	property(name="timegenerated" dateFormat="year")
	constant(value="-")
	property(name="timegenerated" dateFormat="month")
	constant(value="/")
	property(name="timegenerated" dateFormat="day")
	constant(value="/")
	property(name="$.logpath" )
	}

	# Template to output only message
	template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")

	#load the module to receive udp logs
	module(load="imudp")
	#receive udp logs on port yyyyy
	input(type="imudp" port="yyyyy" address="192.168.xx.xx" ruleset="RemoteLogProcess")

	#load the module to write received logs to files
	module(load="builtin:omfile" FileOwner="syslog" FileGroup="adm" dirOwner="syslog" dirGroup="adm" FileCreateMode="0640" DirCreateMode="0755")

	ruleset(name="RemoteLogProcess") {
	# For facilities local0-7 set log filename from $programname field: replace __ with /
	# Message has arbitary format, syslog fields are not used
	if ( $syslogfacility >= 16 ) then
	{
	set $.logpath = replace($programname, "__", "/");
	action(type="omfile" dynaFileCacheSize="1024" dynaFile="RemoteLogSavePath" template="OnlyMsg"
	flushOnTXEnd="off" asyncWriting="on" flushInterval="1" ioBufferSize="64k")

	# Logs with filename defined from facility
	# Message has syslog format, syslog fields are used
	} else {
	if (($syslogfacility == 0)) then {
	set $.logpath = "kern";
	} else if (($syslogfacility == 4) or ($syslogfacility == 10)) then {
	set $.logpath = "auth";
	} else if (($syslogfacility == 9) or ($syslogfacility == 15)) then {
	set $.logpath = "cron";
	} else {
	set $.logpath ="syslog";
	}
	# Built-in template RSYSLOG_FileFormat: High-precision timestamps and timezone information
	action(type="omfile" dynaFileCacheSize="1024" dynaFile="RemoteLogSavePath" template="RSYSLOG_FileFormat"
	flushOnTXEnd="off" asyncWriting="on" flushInterval="1" ioBufferSize="64k")
	}
	}