I have my Ubuntu (12.04) workstation set up to recieve syslog messages from other devices. I was trying to get the rsyslog to generate separate log files for the other devices based on hostname, but leave it's own internal logs as is. What's happening at this point is that all the syslog entries are going into the default systlog log file as well as going into the individual host-based log files.

In the rsyslog.conf file, I added the following template:

It kind of works, but it's generating a new file even for the localhost, and it's still putting everything in the /var/log/syslog file. What am I missing to get it to not log the other hosts in /var/log/syslog?

Does this help at all? It certainly isn't much like your specific scenario, but perhaps the use of the if statements will work.

Storing Messages from a Remote System into a Specific File

This is a log-consolidation scenario. There exists at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do, it doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.

Messages from remote hosts in the 192.0.1.x network shall be written to one file and messages from remote hosts in the 192.0.2.x network shallbe written to another file.
Things to think about

TCP recpetion is not a build-in capability. You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.

Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to.
Config Statements

$ModLoad imtcp
$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~
# local/regular rules, like
*.* /var/log/syslog.log

How it works

It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line ("& ~") is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that "& ~", messages would also be written to the local files.

Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses "192.0.1.1″ and "192.0.10.1″ start with "192.0.1″ but only one actually starts with "192.0.1."!

I had seen that post in my searches, along with others, and it did help somewhat, though as you said it is not the same as my situation. While I could set it up to search for specific things as this post says, I would have to change the rsyslog.conf file every time an IP address was added or changed. Utilizing the %hostname% helps with that.

I noticed that the example includes "& ~" after each line. What does that do?

Ok - after a thorough reading, the & ~ is supposed to stop processing the message. I've changed my rsyslog.conf to be as follows:
This seems to work better. I don't get a separate file for the local workstation, however the other devices still appear in the local syslog file as well as in the individual logs. It almost seems like the messages keep processing even though I have the & ~ in there.