====== rsyslog ======

===== remote log server =====

==== do no log twice ====

[[https://unix.stackexchange.com/questions/631660/rsyslog-prevent-local-host-logging-twice|Rsyslog - prevent local host logging twice]]

<code>
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")
ruleset(name="remote"){
 $template RemoteLogs,"/var/log/devices/%HOSTNAME%.log" 
 *.*  ?RemoteLogs
}
</code>

==== dump vars rule ====
<code>
$template DUMP_ALL_VAR,"/rsyslog/dump_hostname=%HOSTNAME%,fromhost=%FROMHOST%,fromhost-ip=%FROMHOST-IP%,syslogtag=%SYSLOGTAG%,programname=%PROGRAMNAME%,app-name=%APP-NAME%"
*.* ?DUMP_ALL_VAR
</code>

==== rule for TP-Link switch ====

<code>
$template TPLinkSwitch,"/rsyslog/%FROMHOST%/syslog.log"
if ($msg contains "T2600G-28TS") then {
    ?TPLinkSwitch
    stop
}
</code>