How to make honeyd save logs in rsyslog

Question

I have a standard install of honeyd from Ubuntu repositories.
Honeyd is saving logs in two files:
/var/log/honeyd/honeyd.log
/var/log/honeyd/daemon.log
I have been trying to setup rsyslog to forward all logs from honeyd.log to a remote server and it is proving impossible.
My /etc/rsyslog.d/50-default.conf looks like this:

$ModLoad imfile
$InputFileName /var/log/honeypot/honeyd.log
$InputFileTag honeyd
$InputFileStateFile stat-honeyd
$InputFileSeverity debug
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local7.* @@remoteserver:514
*.* @remoteserver

On my remote server I have created /var/rsyslog.d/honeyd.conf as so:

if $programname contains 'honeyd' then /var/log/honeyd.log
& ~

With this setup I get all the daemon logs for honeyd on the remote server (honeyd start stop) and arp reply packages for first time communication with a honeyd honeypot. However, logs from honeyd.log are not forwarded.
I have tried with UDP/TCP, making sure syslog has access to honeyd.log by adding the syslog user to the honeyd group but I just cant get it to work.
TCPdump confirms that logs from honeyd.log are not being sent.

honeyd.log entries look like this:

2013-07-10-16:31:07.5939 icmp(1) - sourceip destip: 8(0): 84
2013-07-10-16:31:08.5951 icmp(1) - sourceip destip: 8(0): 84

Does anyone know what I am missing? Thanks for any help in advance.

Answer 1

I think your problem is here:

local7.* @@remoteserver:514
*.* @remoteserver

You're sending anything tagged with the local7 helper through TCP using the @@ designation. Below that you're sending ALL data via UDP. My guess would be that if you commented out the first command you would be fine since everything else seems to be getting there find via UDP.