Rate-limit
Feb 13 10:32:17 gw207 rsyslogd-2177: imuxsock begins to drop messages from pid 2178 due to rate-limiting
Feb 13 10:32:19 gw207 rsyslogd-2177: imuxsock lost 108 messages from pid 2178 due to rate-limiting
Feb 13 10:32:43 gw207 rsyslogd-2177: imuxsock begins to drop messages from pid 2178 due to rate-limiting
Feb 13 10:32:47 gw207 rsyslogd-2177: imuxsock lost 24 messages from pid 2178 due to rate-limiting
Feb 13 10:32:17 gw207 rsyslogd-2177: imuxsock begins to drop messages from pid 2178 due to rate-limiting
Feb 13 10:32:19 gw207 rsyslogd-2177: imuxsock lost 108 messages from pid 2178 due to rate-limiting
Feb 13 10:32:43 gw207 rsyslogd-2177: imuxsock begins to drop messages from pid 2178 due to rate-limiting
Feb 13 10:32:47 gw207 rsyslogd-2177: imuxsock lost 24 messages from pid 2178 due to rate-limiting
$SystemLogRateLimitInterval [number] default 5 $SystemLogRateLimitBurst [number] default 200
This means in plain words, that rate limiting will take effect if more than 200 messages occur in 5 seconds.
http://www.rsyslog.com/tag/rate-limiting/
Centralizing the audit log
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
and on the receiving rsyslog server, I configure the following to collect all audit events into one file per day:
# Log linux audit log on original format:
$template HostAudit, "/var/log/audit/%$YEAR%/%$MONTH%/%$DAY%/audit.log"
$template auditFormat, "%msg%\n"
:programname, isequal, "audispd" -?HostAudit;auditFormat
:programname, isequal, "audispd" ~
http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log
