I just found that the reason for dd is that Linux doesn't allow reading from the /proc/kmsg open descriptor without root privileges (as opposed to restricting just the open() call). The syslog-ng that I was using until now used the CAP_SYS_ADMIN capability to keep access to /proc/kmsg after dropping root privileges. It seems that rsyslog isn't currently programmed to use this capability, so my previous suggestion wouldn't work.
For now I switched back to syslog-ng, so that I don't need the extra 'dd' process running and still run the syslog daemon as an unprivileged user.
I just found that the reason for dd is that Linux doesn't allow reading from the /proc/kmsg open descriptor without root privileges (as opposed to restricting just the open() call). The syslog-ng that I was using until now used the CAP_SYS_ADMIN capability to keep access to /proc/kmsg after dropping root privileges. It seems that rsyslog isn't currently programmed to use this capability, so my previous suggestion wouldn't work.
For now I switched back to syslog-ng, so that I don't need the extra 'dd' process running and still run the syslog daemon as an unprivileged user.
Sorry for the noise.