I can see that a bug has been filed on this before but I am unable to re-open it. Please alter the default syslog-ng.conf file so that /dev/log is a datagram based socket: source src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg"); }; This is the way all major distros are doing it - with *good* reason. Refer to this bug for a detailed rationale: https://bugs.archlinux.org/task/22153 Michael, in the previous bug you claim that to switch to unix-dgram would result in the loss of messages but this claim is false. Balazs Scheidler himself has acknowledged as much: "This was my - incorrect - perception about SOCK_DGRAM type UNIX domain sockets. At least on Linux unix-dgram does not lose messages." In addition to all that is mentioned above, making this change will obviate the arbitrary bottleneck of 256 connections in the existing config, thereby increasing scalability on busy hosts. Please understand this and fix it. Copying in hardened as they maintain a distinct config.
Note also that system() expands to the following in Linux: unix-dgram("/dev/log"); file("/proc/kmsg" program-override("kernel") flags(kernel)); And the official default config looks like this: @version: 3.3 @include "scl.conf" source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; log { source(s_local); destination(d_local); }; Ergo, syslog-ng officially uses unix-dgram.
updated in syslog-ng-3.4.1