Rsyslog默认只有514端口，收集来的不同设备日志，无法根据:fromhost-ip, startswith等匹配条件拆分不同目录存放.
目录层级：
/data
-/data/IDC_Linux #收集linux日志存放
-/data/IDC_Windows #收集windows日志存放
-/Office_Network_FW #收集network device日志存放

]# cat default.conf

根据客户端的IP单独存放主机日志在不同目录，目录需要手动创建

$template NetworkLogs,"/data/Networkrsyslog/%fromhost-ip%/%$YEAR%-%$MONTH%/%fromhost-ip%%$YEAR%-%$MONTH%-%$DAY%.log"
$template LinuxLogs,"/data/Linuxrsyslog/%fromhost-ip%/%$YEAR%-%$MONTH%/%fromhost-ip%%$YEAR%-%$MONTH%-%$DAY%.log"

if prifilt(".") then {
:fromhost-ip, startswith, "10.11" ?NetworkLogs
:fromhost-ip, startswith, "10.12" ?LinuxLogs
}
. stop

以上Rsyslog规则，如果多个不同设备在一个网段，则无法实现拆分目录. 如果根据hostname则需要统一修改不同设备的hostname.
考虑使用不同端口收集不同设备日志，规则改进为如下.

~]# cat /etc/rsyslog.conf
......

Include all config files in /etc/rsyslog.d/

include(file="/etc/rsyslog.d/*.conf" mode="optional") #注释

Provides UDP syslog reception

for parameters see http://www.rsyslog.com/doc/imudp.html

module(load="imudp") # needs to be done just once
input(type="imudp" port="514") #可注释

Provides TCP syslog reception

for parameters see http://www.rsyslog.com/doc/imtcp.html

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514") #可注释

Include all config files in /etc/rsyslog.d/

include(file="/etc/rsyslog.d/*.conf" mode="optional") #放到模块规则后
.....

~]# cat /etc/rsyslog.d/multi-port.conf

GLOBAL DIRECTIVES

Use default timestamp format # 使用自定义的日志格式

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template myFormat,"%timestamp% %fromhost-ip% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate myFormat

根据客户端的IP单独存放主机日志在不同目录，目录需要手动创建

~]# cat /etc/rsyslog.d/multi-port.conf
template(name="IDC_Linux_Msg" type="string"
string="/data/IDCLinux/%fromhost-ip%/%$YEAR%-%$MONTH%/message%$YEAR%-%$MONTH%-%$DAY%.log"
)

template(name="IDC_Windows_Msg" type="string"
string="/data/IDCWindows/%fromhost-ip%/%$YEAR%-%$MONTH%/message%$YEAR%-%$MONTH%-%$DAY%.log"
)

template(name="Office_Network_FW_Msg" type="string"
string="/data/Office_NetworkFW/%fromhost-ip%/%$YEAR%-%$MONTH%/message%$YEAR%-%$MONTH%-%$DAY%.log"
)

ruleset(name="officenetworkfw") {
action(type="omfile" DynaFile="Office_Network_FW_Msg")
stop
}

ruleset(name="idclinux") {
action(type="omfile" DynaFile="IDC_Linux_Msg")
stop
}
{spa.nekotonakayoku.com]
{spa.hxjpg.com]
{spa.qn-solar.com]
{spa.fun-lifeday.com]
{spa.swissryoko.com]
{spa.sc12315.com]

ruleset(name="idcwindows") {
action(type="omfile" DynaFile="IDC_Linux_Msg")
stop
}

input(type="imudp" port="10516" ruleset="officenetworkfw")
input(type="imudp" port="10520" ruleset="idclinux")
input(type="imudp" port="10521" ruleset="idcwindows")

input(type="imtcp" port="10516" ruleset="officenetworkfw")
input(type="imtcp" port="10520" ruleset="idclinux")
input(type="imtcp" port="10521" ruleset="idcwindows")

. stop