A customer builds their entire OpenNMS inventory using auto-discover via new-suspect-on-trap with Trapd or new-suspect-on-message with Syslogd.
I found that even when Syslogd receives a message, and it cannot retrieve the IP address of the sender from it, it still sends a new suspect event with a null address. Provisiond, of course, rejects this event, but on a system handling hundreds if not thousands of messages per second, this behavior can unnecessarily overwhelm the system.
This is why this should be prevented.
Maybe unrelated, but another scenario is that when a known sender is sending hundreds or thousands of messages, Syslogd will continuously sending new suspect events until the IP exists on the database, which could unnecessarily overwhelm the system even more than the first scenario. That's because, in this case, active transactions are happening until the IP exists on the database. There should be some kind of time-based cache to avoid this situation.