If the syslog receiver is running on a separate server to the machine emitting the syslog events and there is a connectivity issue, the auditing process will resend the events. This can cause unacceptable performance degradation, for as long as events cannot be delivered.
This issue can be mitigated by running a local syslog daemon on the server doing the auditing. The daemon acts as a primary syslog receiver. It can then be configured to log to a file, log to arbitrary external SIEMs, or both. These daemons are also capable of handling network issues, by queueing messages in memory and sending them when the issues have resolved. This allows the auditing server to continue running with minimal reliance on external network connections for auditing purposes.