I think that the big question is “can I lost events?” Then how much I can lost? If the amount is reasonable then follow what @diogofgm said. If you are thinking that you can’t lose any events and you still are using syslog, please think again. Then follow @PickleRick ‘s thinking. In reality using syslog as method to deliver events without any losses it’s really hard almost impossible. I know that @PickleRick will said that it’s impossible 😉 IMHO it’s depends on your architecture and setups, but at least in some cases it’s doable maybe not all cases?

Generally, having a fully 100% proof event delivery is extremelly difficult unless you are ready to have high probability of duplicated events. With syslog reliable delivery generally doesn't exist.

With UDP the source doesn't have any way to determine if the event has been received or not. So UDP is not reliable by design.

With TCP it _could_ be more reliable (and there are some solutions which do keep track of whether the destination actually received the event at least on the TCP stream level - most notable one being Checkpoint's Log Exporter which can get stuck for quite a long time if there is noone to receive the events) but typically the sources don't care about the destination. There is just a simple send() routine within the source's event handling process and as soon as the event is passed there the main process doesn't care anymore. If the connection to the destination can be established the event will be sent. If it cannot it won't. And that's fine because syslog was always meant to be simple, robust and easy to implement and maintain.

So yes, there is no way to make a 100% reliable syslog delivery. (One can argue that there is no way to make 100% reliable delivery because every component which would have to queue events in case of downstream path failure could get overfilled but that's another thing - just physical hardware limitations).