This is something else that's easy-peasy. We'll just make a couple of simple edits to the rsyslog rules on the log server and restart the rsyslog daemon. For our demo, I'll use the CentOS 8 VM.
In the RULES section of the /etc/rsyslog.conf file, I'll look for this line:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
And I'll change it to this:
*.info;mail.none;authpriv.none;cron.none ?Rmessages
Above that line, I'll insert this line:
$template Rmessages,"/var/log/%HOSTNAME%/messages"
I'll then do likewise for the auth messages:
# authpriv.* /var/log/secure
$template Rauth,"/var/log/%HOSTNAME%/secure"
auth.*,authpriv.* ?Rauth
Finally, I'll restart rsyslog:
sudo systemctl restart rsyslog
Now, when I look in the /var/log directory, I see directories for each of the clients that are sending logs to this server. Pretty slick, eh?
The trick here is to always have a $template line precede the affected rule.
And that wraps it up for another chapter. You now know about what to look for in log files, how to make log reviews easier, and how to set up a secure remote log server.