You can have any number of templates, and test incoming messages for their hostname or ip address. If your hostnames are well-structured, for example all "systems" start with "sys" such as sys10 and sysabc, then the number of tests can be reduced.
For example,
$template mysystems,"/scratch/rsyslog/system/%HOSTNAME%/messages.log"
$template mynets,"/scratch/rsyslog/network/%HOSTNAME%/messages.log"
$template myfirewalls,"/scratch/rsyslog/firewall/%HOSTNAME%/messages.log"
if $fromhost startswith "sys" then -?mysystems
& stop
if $fromhost startswith "net" then -?mynets
& stop
if $fromhost startswith "fw" then -?myfirewalls
& stop
The & stop
line stops the message that matches the previous line from being treated further.
You can test the ip address with, for example,
if $fromhost-ip startswith "192.168." then -?mynets
If you want to keep the *.info,...
filter, you can modify the above, for example,
if $fromhost startswith "sys" then {
*.info,mail.none,authpriv.none,cron.none -?mysystems
& stop
}
Note, however, that if you want to not log some items, you should really do this filtering at the sender, not at this end of the network. It is just wasting network bandwidth to send messages that you then filter out and throw away.
See the extensive rsyslog documentation, noting which version you have.
Best Answer
Here is what works for me: