it seems we're suffering from a resource exhaustion problem (Java OutOfMemory). And I am definilty suffering from too many log entries I don't want to see.
Idea: Add Trigger to add IP address to automatic blacklist when Web User tries to login with suspicious user name like "root" (regex at best). This would save the system from the additional 20 passwords they try and from the additional 20 other users they try. This would reduce log size and if my observations are correct each failed login uses up some memory. If the garbage collector is too slow or is using too much CPU the OutOfMemory exception occurs (presuming there is no memory leak). Then the GA services are no longer available.
Unfortunately there is no action available in the trigger to do this and gacmd doesn't offer a command to manipulate the black list, as far as I can see. Is there another way to accomplish this?