@opium , thanks for the reply. The problem was on the sending host, did not send, infection)
As a result, the following config on the collector:
source s_input {
internal();
# catch everyone via UDP
udp(ip("0.0.0.0"));
};
destination NEW_LOG { file("/var/log/.../$DAY$MONTH/may.log" create_dirs(yes) owner("USER") group("GROUP") dir_owner("USER") perm(0640) dir_perm(0750) dir_group("GROUP") ); };
filter NEW_FILTER { host("HOST_NAME");};
log { source(s_input); filter(NEW_FILTER); destination(NEW_LOG); };
# NEW_LOG - arbitrary name of the receiver
# USER - owner, be sure to specify the real owner who has write permissions
# GROUP - group, be sure to specify a real group that has write
permissions # NEW_FILTER - arbitrary filter name
# HOST_NAME - host name, you can also specify in advance in /etc/resolv.conf
Don't forget to close unused ports.

Why are you doing it through a filter then?
According to the first link from Google in syslog, it is configured almost the same as in rslog
destination logpile {
file("/logs/$HOST/$YEAR/$MONTH/$FACILITY.$YEAR$MONTH$DAY"
owner(root) group(root) perm(0600)
create_dirs(yes) dir_perm(0700)); };
log { source(inputs); destination(logpile); };

Why are you doing it through a filter then?
According to the first link from Google in syslog, it is configured almost the same as in rslog
destination logpile {
file("/logs/$HOST/$YEAR/$MONTH/$FACILITY.$YEAR$MONTH$DAY"
owner(root) group(root) perm(0600)
create_dirs(yes) dir_perm(0700)); };
log { source(inputs); destination(logpile); };
an hour ago Comment Complain
Logs of various types. You just need to get everything from "this ip" and write to the specified file, filtering by services, and catch by host name / ip address.
Your version is very working, but unfortunately, it is a bit inappropriate in this situation.

Like 0 comments

There is a full article here
https://habrahabr.ru/post/345968/