If you are able to use plugins, this could help:
Basically build a pipeline function that does a lookup using the source field (or the field containing the host identifier, why that see below) and sorting the responses descending. The returning field should be the timestamp and then simply check if the returned timestamp is older than 3 days.
The only issue: You would still need some way of running these checks without relying on the host to send a message himself. As @jan said, you would need a script triggered by cron for example, that periodically sends messages for each host that you want to be checked. (This is were the field containing the host identifier mentioned above comes from )
Also you should put this into its own index etc. to not clutter your normal logs too much