rsyslogd Duplicate Logging To Local syslog

After setting up a central log storage server, I found that incoming messages from remote hosts were being logged properly to /var/log/%HOSTNAME/%PROGRAMNAME%.log as well as /var/log/syslog

Not a fan of this duplicated data, it took quite a few tries to get this resolved. Most answers I could find were suggesting the use of a deprecated method (% ~) which I wanted to avoid.

In the end, I moved all the remote logging configurations to /etc/rsyslog.d/10-remote.conf and this was the working entries:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost != "server-hostname" ) then ?RemoteLogs
& stop

Of course, replace “server-hostname” with the name of your rsyslogd server.

This should greatly reduce the disk space used by logs.