Thanks for your help. After strace-ing I found that the culprit was DNS. DNS lookups were blocking the daemon.
Adding use_dns(no) to the global config fixed the problem. Messages are now being written to disk in real time and I am losing nothing!
Now, if I want my 'pretty' directory structure and filenames do I add my remote machines to /etc/hosts or do I make my syslog-ng machine a caching name server? Will these block?
a caching nameserver should help, though syslog-ng can still block for a while on DNS queries. you could filter out hosts that might not be resolvable with ipchains or ipfwadm (or the packet filter your OS has) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt