You had better make sure that the disk on the destination is faster than the sum of the logging rates of all the other hosts, or the syslog-ng on the destination machine will start throwing entries away, and *then* you'll really be embarrassed :)
Why does syslog-ng "throw messages away?" Shouldn't they be buffered instead of discarded? Surely memory can keep up. It is unacceptable for messages to be thrown away. You might as well just use UDP and `hope' all messages arrive.
You can control the size of the output buffer with the log_fifo_size() option. Of course this size is not preallocated, it's just the maximum number of entries to be buffered. The default value is 100.
Syslog-ng could be more efficient still by allocating large chunks of memory (maybe using obstacks) for each destination and then batch-writing them (say, when an alarm expires). I imagine that syslog-ng spends a lot of time in system calls because it writes each message individually.
Yes, this may be a place for improvement. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt