Whereas /proc/kmsg is designed for a single reader (usually syslogd), /dev/kmsg (circa 2012) supports multiple readers and could be used by the anomaly collector instead of /var/log/messages without the complications of having to detect log rotation.

This of course assumes that the anomaly collector is interested only in kernel logs, and doesn't care about the rest of the syslog.

Other advantages: fewer wake ups, fewer lines to parse, and avoiding duplicate collection when reading an existing syslog after reboot.

(This could be a good noogler bug.)