
#sshd
if $programname == 'sshd' and $syslogfacility-text == 'authpriv' then      /var/log/secure
:programname, isequal, "sshd"            /var/log/sshd/sshd.log
& stop

