With the caveat that I am perhaps asking the wrong audience, I'm hoping
that someone has hit this issue before, and possibly solved it.
I've set up a number of servers in my environment to forward all audit log
entries via audispd and rsyslog to a central rsyslog receiver where they
are parsed and saved. All that is working (audit is sent with LOG_LOCAL6 in
audispd syslog plugin, "local6.* @@loghost:514" is in rsyslog.conf).
The problem/question I have is whether it is possible to turn off
rate-limiting for rsyslog *only for audit traffic*. Leaving aside that I
need to tune the audit rules better, on heavily loaded servers the rsyslogd
starts dropping most of the audit traffic due to the rate-limiting
parameters. I know I can turn it off (or set it much higher) for all
rsyslog, but is there any way to selectively set the rate limit by either
source (audispd) or facility (local6)?
I've just joined the rsyslog mailing list, if I fail here then I'll ask
there, but I'm afraid that the answer will have something to do with using
rsyslog v8, and I'm stuck with the RHEL7-provided v7.4.7.
Any assistance/suggestions/leads are appreciated.
Stephen