To have rsyslogd automatically create directories and files with whatever you send at it, just put this in your rsyslog.conf file (or a .conf file in /etc/rsyslog.d):
# provide UDP syslog reception $ModLoad imudp $UDPServerRun 514 $template DynFile,"/var/log/syslogs/%fromhost-ip%-%fromhost%/%$YEAR%-%$MONTH%-%syslogfacility-text%" # log everything from remote servers to one file per host+month+facility if $inputname == 'imudp' or $inputname == 'imtcp' then ?DynFile # stop logging from remote servers if $inputname == 'imudp' or $inputname == 'imtcp' then ~
All directories and files are created under /var/log/syslogs, one directory per ip-hostname pair, and one file per facility per month.
You can also add this in your /etc/cron.monthly folder so that old files are compressed on a regular basis:
root 52 7 1 * * /usr/bin/find /var/log/syslogs -type f -mtime +31 | xargs nice -n19 gzip --fast
A better solution would be a logstash setup with Kibana or a Synology NAS, but this is always useful anyway :)