Many applications and devices can only send their logs over UDP.
In a big company environment it can happen that SSB cannot handle the incoming traffic with the default configuration so message loss happens.
Before start, it is strongly recommended to check the sender hosts and devices if possible to change the sending protocol to TCP instead of UDP.
Use UDP only if you have no other choice.
The SSB source called 'Legacy' accepts UDP logs on port 514 and has 60MiB of receive buffer configured by kernel parameter.
UDP connections cannot be multi-threaded, so only one CPU core can be used to accept UDP logs.
netstat -unlp|grep -e PID -e syslog
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 62914434 0 10.21.10.20:514 0.0.0.0:* 3503/syslog-ng
6798 packets received
29 packets to unknown port received.
34 packet receive errors
6833 packets sent
Such way SSB will be able to use different CPU cores for the different UDP sources and each UDP sources will have 60MiB of receive buffer.
Placing a syslog-ng relay before the SSB implies the reconfiguration of the logging environment. Generally there are two options.