Chris,
Thanks for the info. Are you saying you run syslog-ng on the log server but the clients all run plain ol' syslog??
Yes at present.
I thought you needed syslog-ng on clients to stunnel the stuff to log server over tcp.... How are you getting syslog stuff to log server?
Using the UDP. The servers are actually on very fast/robust/diverse network so I'm not too worried about loosing any messages. In addition they are also stored locally on the servers. The network devices only support syslog over UDP and these were the main devices we wanted to monitor in this way as the syslog will show messages not provided by SNMP. We are looking at dedicated BSD boxes directly attached to the network devices to capture their syslogs and then send them back to the central syslog server using TCP as a future project, this will ensure we don't miss anything in the event of network failures. Jim