Very simple config -- starting point for modifications
From rsyslog wiki
I struggled a bit to figure out where to start with rsyslogd. I wanted to find a complete conf file that I could edit, but everything I found was either really complex or did not include the original syslog information. So here it is... I bolded everything that I made changes in from either the standards in the docs or suggestions.
# -- Loading modules
$ModLoad immark
$ModLoad imudp
$ModLoad imtcp
$ModLoad imuxsock
$ModLoad imklog
# since I am using a uniprocessor pc, I put this in.
$OptimizeForUniprocessor on
# I also wanted to be able to receive syslog traffic
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
# and reduce any duplicates
$RepeatedMsgReduction on
$RepeatedMsgContainsOrigionalMsg on
# this is for Windows events from SNARE
$EscapeControlCharactersOnReceive off
# A basic template mostly from the docs, but I wanted to know what system forwarded the messages so I added some text. Also I added the ":::space" to handle the windows events (based on the other suggestions in this wiki)
$template SyslFormat,"%timegenerated% [WJCG]-%HOSTNAME% %syslogtag%%msg:::space$
# these are right from the default syslog.conf file, adding the ;SyslFormat template at the end
kern.debug /var/adm/syslog.dated/kern.log;SyslFormat
user.debug /var/adm/syslog.dated/user.log;SyslFormat
daemon.debug /var/adm/syslog.dated/daemon.log;SyslFormat
auth.crit;syslog.debug /var/adm/syslog.dated/syslog.log;SyslFormat
mail,lpr.debug /var/adm/syslog/misc.log;SyslFormat
kern.debug /var/adm/messages;SyslFormat
kern.debug /dev/console;SyslFormat
*.emerg *
#this will forward all the logs to another server using TCP port 2010.
*.* @@1.2.3.4:2010;SyslFormat
