...
- If the syslog message has a timestamp that is more than 1800 seconds off from the current server time:
- Accept the syslog message
- Remove and replace the timestamp with its own time stamp.
References
https://en.wikipedia.org/wiki/Syslog#Facility
http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory
http://man7.org/linux/man-pages/man5/rsyslog.conf.5.html
http://www.rsyslog.com/doc/v7-stable/configuration/property_replacer.html
http://www.rsyslog.com/doc/v7-stable/concepts/multi_ruleset.html
http://fibrevillage.com/sysadmin/221-rsyslog-rules-examples-on-linux
http://people.redhat.com/pvrabec/rpms/rsyslog/rsyslog-example.conf
Appendix A: Upgrading rsyslog of RHEL and CentOS
...