I have approached this slightly differently. I manage a network spread across a large area of geography serviced via satellite links, which can often be down for long periods of time. I am using the universal forwarder at each remote site to collect syslog via UDP and forward via a tcp connection. This gives me several advantages:
Compression. This cuts my bandwidth usage for reporting in half or better--very important when bandwidth costs are in the thousand of dollars per Mb/Month.
Encryption. Keeps my data secure in transit.
Queueing. Universal forwarder will queue days worth of syslog data.
The universal forwarder is easy to setup, and once it is running we never have to restart it for any reason. This worked so well for our remote sites that we actually setup a forwarder in our data centres just to buffer syslog data and forward it to our main splunk server.
... View more