After setting up a central log storage server, I found that incoming messages from remote hosts were being logged properly to /var/log/%HOSTNAME/%PROGRAMNAME%.log as well as /var/log/syslog
Not a fan of this duplicated data, it took quite a few tries to get this resolved. Most answers I could find were suggesting the use of a deprecated method (% ~) which I wanted to avoid.
In the end, I moved all the remote logging configurations to /etc/rsyslog.d/10-remote.conf and this was the working entries:
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" if ($fromhost != "server-hostname" ) then ?RemoteLogs & stop
Of course, replace “server-hostname” with the name of your rsyslogd server.
This should greatly reduce the disk space used by logs.