I think the current design of logcheck with all the reportlevels and violation/cracking layers makes this approach hard to do correctly.
But if we simplify the layout of rules it might be worth considering. (another idea is to track how many times each file matches so more frequently-matching files can run first)
