Rsyslog

Rate-limit

Feb 13 10:32:17 gw207 rsyslogd-2177: imuxsock begins to drop messages from pid 2178 due to rate-limiting
Feb 13 10:32:19 gw207 rsyslogd-2177: imuxsock lost 108 messages from pid 2178 due to rate-limiting
Feb 13 10:32:43 gw207 rsyslogd-2177: imuxsock begins to drop messages from pid 2178 due to rate-limiting
Feb 13 10:32:47 gw207 rsyslogd-2177: imuxsock lost 24 messages from pid 2178 due to rate-limiting

$SystemLogRateLimitInterval [number] default 5
$SystemLogRateLimitBurst [number] default 200

This means in plain words, that rate limiting will take effect if more than 200 messages occur in 5 seconds.

http://www.rsyslog.com/tag/rate-limiting/

Centralizing the audit log

active = yes

 direction = out
 path = builtin_syslog
 type = builtin 
 args = LOG_INFO
 format = string

and on the receiving rsyslog server, I configure the following to collect all audit events into one file per day:

 # Log linux audit log on original format:
 $template HostAudit, "/var/log/audit/%$YEAR%/%$MONTH%/%$DAY%/audit.log"
 $template auditFormat, "%msg%\n"
 :programname,   isequal,        "audispd"       -?HostAudit;auditFormat
 :programname,   isequal,        "audispd"       ~

http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log