SSH has pretty bad performance, and therefore, so does scp. Once the network buffer is full, it's slow slow slow. There are a couple of ways around this: a) use the high performance network patches for SSH available here PSC HPN Patches (I use these myself on servers which do large file transfers), or switch to an ftp over SSL implementation, netcat, or similar.
For example, I had a customer using straight ftp to constantly transfer high volume firewall logs like this without issue.
I'm not even sure the HPN patches would do what is needed in this case, because of connection pauses. If logs are not coming continuously through that pipe, then you're going to have the connection restart overhead throwing off your time_before_close . So maybe add something like the following to /etc/ssh/sshd_config :
ClientAliveInterval 120
ClientAliveCountMax 720
I presume there's some sort of security policy to prevent you from just using syslog here?
... View more