There are things to do on both server and hosts.
Append the following line to the
/etc/rsyslog.conf file and restart the rsyslog service.
Uncomment those lines in
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Add a file in the
/etc/rsyslog.d directory for each remote logging host in with the following content:
$template myhostname, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" if $fromhost-ip == 'HOST_IP_ADDRESS' then ?myhostname
This will store log files of remote hosts in different folders following the hostname, with filenames corresponding to the name of the program that emitted logs.