Proper rsyslog configuration
Solution 1:
In my case (Ubuntu 12.04) with a similar configuration directories were also not being created. Events were being logged into the existing files but without the hostname being tagged so it was not obvious that it was (almost) working.
I suggest:
-
verify that traffic is being received: On the server, try:
sudo tcpdump tcp port 514
-
Configure the client to send the correct hostname. Add this line to /etc/rsyslog.conf:
$LocalHostName [client]
Verify that log entries from [client] are appearing in [server] log files.
-
Your server config file defines a template named TmplAuth, but nothing is using it. Add this line immediately after it:
*.* ?TmplAuth
Of course, whenever you change a config file, you'll need to restart rsyslog on that machine.
After the above, my TmplAuth was being applied to all logs (including local): directories were created and a log file for each program generated. This isn't quite what I was after, but represents a big step forward. I'm now looking at changing the template instead of puzzling about why it wasn't working.
Solution 2:
I cannot comment, so I add a new answer: Most probably the issue is, as was said by Zaq that TmplAuth was intended to do be used for writing dynamic filename. That part is actually missing.
Other than that, we (the rsyslog project) have often seen such issues been caused by
- AppArmor settings (unlikely)
- Firewall configuration (likely)
So you definitely want to have a look at this.