This snippet should work. I saved it under /etc/rsyslog.d/local-network.conf
# v5 config - docs used: http://www.rsyslog.com/doc/v8-stable/historical/multi_ruleset_legacy_format_samples.html $template HostBasedLog,"/var/log/network/%HOSTNAME%/%$YEAR%/%$MONTH%/%HOSTNAME%.log" $RuleSet remote *.* ?HostBasedLog # UDP config reverted in main config, and re-enabled here, in similar order # as main TCP example (I even enable the module here too) $ModLoad imudp # bind ruleset to udp listener $InputUDPServerBindRuleset remote # and activate it: $UDPServerRun 514 # switch back to the default ruleset: $RuleSet RSYSLOG_DefaultRuleset
In the future, hoping I can simply enable this config
# http://www.rsyslog.com/doc/v7-stable/concepts/multi_ruleset.html#split-local-and-remote-logging
# seems to be a v7 example
#template(name="HostBasedLog" type="string" string="/var/log/network/%HOSTNAME%/%$YEAR%/%$MONTH%/%HOSTNAME%.log")
#
#ruleset(name="remote"){
# action(type="omfile" dynaFile="HostBasedLog")
# # dynaFile? $Host..., or Host...?
#}
#
#input(type="imudp" port="514" ruleset="remote")