I have done it both ways in the past. I use syslog-ng collector as my default for multiple reasons. When there is a legal obligation to keep syslogs for a certain amount of time, it is cheaper for me to gzip them on a syslog collector and move them off to tape in batch operations. This also makes legal feel warm and fuzzy because they are "more pure" in some legal opinions.
I have also had better experiences when using a syslog collector for areas that are geographically remote and do not have an indexer on-site.
... View more