- You can try increasing the UDP buffers (both kernel and syslog-ng side) even to multiple GBs.
- If that does not help, you can split the UDP traffic to even more different udp sources (different port is enough). Each source will have its own udp buffer so the chance to fill up decreases.
- The next thing to consider is to place new syslog-ng machines behind the LB.
- Last but not least I would suggest to place multiple syslog-ng relay servers as close as possible to the original UDP log sources (eg. one per each geolocation/subnet/etc) and send the logs to the central syslog-ngs through tcp.