I would collect the log(in particolar auditd but also other syslog log) produced by several linux server in a centralized syslog server installed in a linux server. I would configure the centralized syslog server in a secure network where the centralized syslog server can initiate connections to the other server but the other server producing the logs (some of them are exposed also on internet) can't initiate any connections to it.
I know that rsyslog allows to send log to a remote syslog using tcp or udp as described for example in http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/ but in this case I can't use it because the servers can't send log to the centralized syslog server for the restriction described above.
Are there other log shipping tools or software working with a pull strategy indeed of the "push" strategy used by rsyslog?
I assume you can ssh between your machines. Maybe you can try to tunnel syslog over ssh
I would suggest avoiding the "pull" method unless you are completely sure (or completely don't care) about your security. If logs are stored localhost (on the client side) the intruder can easily tamper with them and not only make the investigation harder, but also lead you to false directions.
Having that said, maybe the best way to go is to forward logs into a (push) pipe and then remotely pull them.
The steps to be taken...
1) mkpipe logpipe
2) Redirect logs to pipe ( http://www.rsyslog.com/doc/v8-stable/configuration/modules/ompipe.html )
3) from the client : nc -l 12345 0
4) from the server : nc clientip 12345 > /var/log/clientlogs