My troubles didn't go away until I deployed syslog-ng everywhere and used TCP for all syslog traffic (from UNIX hosts anyways).
It's important to understand just how TCP addresses the problem. It's a problem of servers logging more than the network can handle; UDP addresses it by discarding log messages; TCP addresses it by slowing down the servers creating them. For many servers, logging is supposed to be transparent; it's not a central enough activity to have it pace the server's real work. Besides the pacing, there's also a difference in reliability. If the syslog server hangs, a UDP-based logger will stop logging and go on with life. A TPC-based one will hang with it. -- Bryan Henderson San Jose, California