I'd try to tailor the iRule (and optionally datagroup) for your exact scenario to minimize the load this would use. If you only have one or two domains that should be referring to your web app and it's only http:// for example, I'd avoid a datagroup and any parsing of the referer header. If it's more complicated than that, I'd suggest using timing to compare the efficiency of parsing the referer header and/or checking against a datagroup.
Also, the log command accepts a syslog facility as iRuleYou mentioned. If you don't specify the facility, the log messages are throttled:
http://devcentral.f5.com/wiki/default.aspx/iRules/log
There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the and/or are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).
Aaron