Rory wrote:
options { time_reopen(10); chain_hostnames(yes); keep_hostname(no); gc_idle_threshold(100); gc_busy_threshold(65535); use_dns(no); log_fetch_limit(10); log_iw_size(10000); log_fifo_size(100000); };
source remote_sources { udp(ip(0.0.0.0) port(514)); };
If you don't need to receive data from ALL local IP addresses, you can save some CPU by only binding and thus polling the specific IP addresses that you need.
destination event_collector { tcp("127.0.0.1" port(1028)); };
If you event collector does parsing the the syslog message, then you could stop syslog-ng from parsing the incomming message, and using a $MSGONLY template on the destination.
log { source(remote_sources); destination(event_collector); flags(flow-control); };
I'm not sure what platform you are on, but you could compile a later binary, like i686 rather than i386. It can make a large difference. Evan.