I am having a problem with rsyslog that is duplicating the logs. I have configured rsyslog to receive logs from remote servers - Windows(installed a service that is converting events to syslog) and Linux. For this purpose I have added the following rows in rsyslog.conf as here:
######################
#### REMOTE RULES ####
######################
if $fromhost-ip == 'xx.xxx.xxx.xxx' then /var/log/RemoteSystems/remote1/remote1.log
&~
#
if $fromhost-ip == 'xx.xxx.xxx.xxy' then /var/log/RemoteSystems/remote2/remote2.log
&~
#
............
I would like to receive the logs only in these files - remote1.log and remote2.log, but some logs are also duplicated in auth.log, syslog, kern.log.
The other 2 conf files under rsyslog.d are default for Ubuntu.
From the rsyslog site: