We have our default rule(first action), it logs everything to a file called syslogcatchall.txt in D:\syslog\logs. This file is rolled over every 250mb so there may be syslogcatchall.txt.001, syslogcatchall.txt.002, etc.
Our second action is to log by hostname using the auto-split function. This then logs to D:\syslog\hostlogs. These file are also set to roll over every 250mb.
We do this for two reasons, ease of searching for an event on a specific host and that they have different retention times. We are required to save all log entries for 6 months. We only keep the hostlogs for 30 days as they are for convenience and not a requirement.
At the end of each day at midnight we archive these to F:\archive\logs and F:\archive\hostlogs respectively with the date prepended to the filename.
Then, every day the clean up tasks run and delete any files outside of the respective retention times for each directory.
