Yep, BPS should be installed on each site. When you have a root site and subdirectory site that share a common tld the root site Security Log logs the majority of blocked hacking attempts due to the way the attack strings/vectors on a website are generalized to target the tld. So you should see some logged attacks in the Security Log in your subdirectory site’s Security Log, but not nearly as many as you will see in your root site’s Security Log. Eventually when your subdirectory site’s Security Log reaches the max log file size setting that you have chosen then it will be zipped and emailed to you.