If you look at the source code for syslogd, you will see that the syslogd program only uses datagram sockets (type SOCK_DGRAM). These are by definition connectionsless but also not completely reliable in the sense that stream sockets are.
This is by design. Using stream sockets would mean that the syslog()
call would have to wait for a confirmation that the message that it sent was received properly. So if syslogd
was busy, every application that calls syslog()
would block.
Syslogd was simply not designed with the volume of data that you are subjecting it to in mind. You could try enlarging the value of the sysctl variable kern.ipc.maxsockbuf
, giving the logging socket a larger buffer.
If you want to make sure you capture everything, write to a file instead.