Is there a way to create a rsyslog rule that will process all incoming udp traffic to a different file (the same way rules are written for subsystems)
So for example I would do something like this
udp.* /var/log/remoteSrv
The closest I have fund was how to change files based on the remote system but I'm just looking to know if the log came from the local machine or from a remote server.
http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/
Thanks for the help
You can use the information in your link to derive something like the following, to put near the start of your config file:
$ModLoad imudp
$UDPServerRun 514
# do this in FRONT of the local/regular rules
if $fromhost-ip != '127.0.0.1' then /var/log/remoteSrv
& stop
# local/regular rules, like
*.* /var/log/syslog.log
This filters messages not from the localhost, 127.0.0.1, to the wanted logfile, then suppresses them (stop). Then you can use whatever rules you already have for the remaining messages, for example as given in the last line.
