This article is not a example shows that how to config rsyslog, rather, just some examples rules as a reference

1.Log to a file in the traditional format

As you know Rsyslogd is an enhanced replacement for previous syslogd, thus, it has new features and new ays to use it, however, it also supports traditional format.

The rule below tells log everything in traditional format

*.*     /var/log/traditionalfile.log;TraditionalFormat 

2. Forwarding syslog to remote machine

# Forwarding to remote machine
# ----------------------------
*.*	@172.19.2.16		# udp (standard for syslog)
*.*	@@172.19.2.17		# tcp

3. Filter message using regular expression

# Filter using regex
# ------------------
# if the user logges word poweroff or powerofff or poweroffff or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "poweroff\\+"	 ^poweroff
# Another way for complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla"    ^logger;bla_logged

4.Discarding message

# Discarding everything
# ----------
*.*	~      # discards everything
# Discarding Particular message
# ----------
:msg, contains, "vtl" ~
# Log message then discarding it(not let the message go through the rules after)
# ----------
:msg, contains, "vtl" /var/log/vtl.log
& ~

5.Pipes

# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.*	|/a_big_pipe

6. Specify program to execute

*.*			^alsaunmute 	# set default volume to soundcard

7.Log authencation related syslog message by host and program

$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 

authpriv.*   ?TmplAuth
*.info,mail.none,authpriv.none,cron.none   ?TmplMsg

8. Log every host syslog in its own directory

$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
*.* ?REmoteHost

9.More verbose syslog for local0 facility

$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
local0.* ?precise

10. Resembles RFC 3164 on the wire format

# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

11.Log message for specified program

# A template to for higher precision timestamps + severity logging
$template highprecisiontempl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

:programname, isequal, "sshd"    /var/log/sshd.log #log all sshd message to a file

:programname, startswith, "abc"    /var/log/abc.log;highprecisiontempl
# log programs that name start with abc to abc.log