[rsyslog-notify] Forum Thread: rsyslog - cluster / HA Best practice Example - (Mode 'post')

[noreply at adiscon.com]

User: penguinpages 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25940#p25940

Message: 
----------
New to syslog..  RTFM link ok..  Please provide explaination to code
posting :)

Goal:   Build a redundant HA Syslog server which enables saving of log
files with resiliency sufficient to rely upon for security and audit trails
for compliance.

Attached is "diagram" of what I am building.  
Here is other post to CentOS forum on topic: <!-- m --><a class="postlink"
href="https://www.centos.org/forums/viewtopic.php?f=47&t=54259">https://www.centos.org/forums/viewtopic
... 47&t=54259</a><!-- m --> 

Question:
1) How do I setup by /etc/rsyslog.conf to breakout a specified bank of IPs
(prefered would be reverse DNS lookup first then IP secondary) into
different folders and files. Each source IP would put into different file.
Folders would reflect catagory of devices (such as /var/log/syslog/switches
for all the switches and routers /var/log/syslog/storage )

Based on the one response... I would define each host(hopefully a group or
listing of several IPs or DNS entries :) )  that would dump into a specific
file in /var/log
$template DynFile,"/var/log/system-%HOSTNAME%.log"

But still not clear what entry would look like in /etc/rsyslog.conf

Can someone post example where:
172.20.10.1   ->  saves all entries on UDP or TCP port 514 to 
/var/log/syslog/core/switches.log
172.20.13.100, 172.20.41.100  -> saves all entries on UDP or TCP port 514
to  /var/log/syslog/core/servers.log
172.20.23.132, *.storage.foo.com  -> saves all entries from DNS search
string or IP on UDP or TCP port 514 to  /var/log/syslog/core/storage.log

I have never done a syslog server before.. so any other recommendations on
this kind of HA topic.. It would be helpful.   I will make a post back of
final "cookbook" once I put pieces together.