How Does a Client Send Logs to a Remote Rsyslog Server?

Hello Experts:  I need to configure an rsyslog server where 1) all the clients send all their log files to it, and 2) where all the clients also send the auth.log files separate to an rsyslog server.  

I have part 1 working, but I cannot get part 2 working.  One of the requirements is that on the rsyslog server, the clients need to have their hostnames and not their FQDN.  

I have really run out of ideas on how to complete this task at work.

This is the part that is working, which is part 1:

 ##RULES##
$LocalHostname CLIENT1NAME

*.* @172.31.80.166:514
*.* @@172.31.80.166:514

Select allOpen in new window

The configuration above produces what I want.  However, when I try to add this configuration:

 ##RULES##
$LocalHostname CLIENT1NAME

$Ruleset auth_test
auth,authpriv.* /log/$LocalHostname/auth.log
auth,authpriv.* @172.31.80.166:514
auth,authpriv.* @@172.31.80.166:514

$ModLoad imtcp
$InputTCPServerBindRuleset auth_test
$InputTCPServerRun 514

*.* @172.31.80.166:514
*.* @@172.31.80.166:514

Select allOpen in new window

This configuration is not working.  I need the auth and authpriv logs to go to the remote rsyslog server as /logs/CLIENT1NAME/YEAR/MONTH/DAY/auth.log, and all others in /logs/CLIENT1NAME/YEAR/MONTH/DAY/

This is an example of what is working:

[root@ip-172-31-80-166 logs]# ls -l CLIENT1NAME/2021/09/21/
total 32
-rw-r--r--. 1 root root  425 Sep 21 17:57 dbus-daemon.log
-rw-r--r--. 1 root root  147 Sep 21 17:57 NetworkManager.log
-rw-r--r--. 1 root root  484 Sep 21 17:33 rsyslogd.log
-rw-r--r--. 1 root root  422 Sep 21 17:57 sshd.log
-rw-r--r--. 1 root root   96 Sep 21 17:33 sudo.log
-rw-r--r--. 1 root root 5982 Sep 21 17:55 systemd.log
-rw-r--r--. 1 root root  352 Sep 21 17:57 systemd-logind.log
[root@ip-172-31-80-166 logs]#

Select allOpen in new window

The ryslog server is the one with IP 172.31.80.166.

This is the rsyslog version:

[root@ip-172-31-80-166 logs]# rsyslogd -v
rsyslogd 8.24.0-57.el7_9.1, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.
[root@ip-172-31-80-166 logs]#

Select allOpen in new window

This is the rsyslog server configuration in /etc/rsyslog.d/rsyslog_custom.conf:

$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514

$DirCreateMode 0755
$FileCreateMode 0644
$umask 0022

$PrivDropToUser root
$PrivDropToGroup root
$PreserveFQDN off

$template TmplMsg, "/logs/%HOSTNAME:::uppercase%/%$YEAR%/%$MONTH%/%$DAY%/%PROGRAMNAME%.log
*.* ?TmplMsg

Select allOpen in new window

The rsyslog server is running on Red Hat 7.9.

Note:  As this is a work in progress, its requirements might change.  So far, this is what my manager has requested from me in this assignment.  

Thanks!

--Willie