diff --git a/NEWS b/NEWS
index 7ee4f50e8b1396e7ff4a0a4313db42bcc7e5039e..438432ed982b91eb3822c99f3d5680810d6c5414 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
+release/001.015 (2017-10-25)
+
+    Add $use_logsink_server parameter so that servers using Splunk, ELK,
+    or its like will have the option to not send log files to the logsink
+    server. (adamhl)
+
 release/001.014 (2016-03-11)
 
     When ensuring 'absent' also remove the audisp-simplify newsyslog
diff --git a/manifests/auditd.pp b/manifests/auditd.pp
index bd07d156e0df7ed9fd60d9b49ac473f0bf127059..12b87505e396118f2987c87e4bb81b1224d71f46 100644
--- a/manifests/auditd.pp
+++ b/manifests/auditd.pp
@@ -14,6 +14,11 @@
 # Example client server:
 #
 #  audit::auditd { "{$::hostname}.stanford.edu": ensure => present }
+#
+# $use_sink_server: set to true if you want to forward auditd logs to the
+#   legacy log-sink server, false otherwise. Eventually, the log-sink
+#   server will go away as we are moving to Splunk and ELK.
+# Default: true
 
 define audit::auditd (
   $content             = 'NONE',
@@ -25,6 +30,7 @@ define audit::auditd (
   $num_logs            = 5,
   $simplify            = 'true',
   $syslog_server       = 'logsink.stanford.edu',
+  $use_logsink_server  = true,
   $space_left          = 5000,
   $space_left_action   = 'SYSLOG',
   $ensure
@@ -78,10 +84,19 @@ define audit::auditd (
           source  => "$afile/etc/audisp/plugins.d/syslog.conf",
           require => Package['auditd'];
       }
-      base::syslog::fragment {
-        '50-audisp-remote.conf':
-          ensure  => 'present',
-          content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
+
+      # This fragment forwards to the log-sink server, so only
+      # provision if $use_logsink_server is true.
+      if ($use_logsink_server) {
+        base::syslog::fragment {
+          '50-audisp-remote.conf':
+            ensure  => 'present',
+            content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
+        }
+      } else {
+        base::syslog::fragment {
+          '50-audisp-remote.conf': ensure => 'absent';
+        }
       }
 
       # Test the simplification of auditd logging
@@ -130,6 +145,7 @@ define audit::auditd (
             '15-input-simplify.conf': ensure => 'absent';
             '40-simplify.conf':       ensure => 'absent';
           }
+
         } else {
           $syslog_tag = 'audispSimplify'
           base::syslog::fragment {
@@ -139,9 +155,20 @@ define audit::auditd (
             '15-input-simplify.conf':
               ensure  => 'present',
               content => template('audit/etc/rsyslog.d/15-input-simplify.conf.erb');
-            '40-simplify.conf':
-              ensure  => 'present',
-              content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
+          }
+
+          # This fragment forwards to the log-sink server, so only
+          # provision if $use_logsink_server is true.
+          if ($use_logsink_server) {
+            base::syslog::fragment {
+              '40-simplify.conf':
+                ensure  => 'present',
+                content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
+            }
+          } else {
+            base::syslog::fragment {
+              '40-simplify.conf': ensure => 'absent';
+            }
           }
         }
       }
diff --git a/templates/etc/rsyslog.d/15-input-simplify.conf.erb b/templates/etc/rsyslog.d/15-input-simplify.conf.erb
index 09a56052d88e698c961eb01cca3dcdf8eba8dbd8..bd5cbea9d573dc7570308bd60f6c65ca41d4e829 100644
--- a/templates/etc/rsyslog.d/15-input-simplify.conf.erb
+++ b/templates/etc/rsyslog.d/15-input-simplify.conf.erb
@@ -1,6 +1,6 @@
 # audisp-simplify output
-input(type="imfile" File="/var/log/audisp-simplify" 
-      Tag="<%= @syslog_tag %>" 
+input(type="imfile" File="/var/log/audisp-simplify"
+      Tag="<%= @syslog_tag %>"
       Severity="info"
       PersistStateInterval="20000"
       StateFile="stat-audisp-simplify")