hi rahul7415--

Are you seeing packet drops or the logs being truncated? Are you forwarding logs from sources that are verbose (ie firewalls, IDS/IPS systems?) Are you getting warnings about buffer overflows or anything similiar? 

Documentation seems to confirm that the default (8192 bytes) is sufficient in most cases for low to moderate log volume.

Hope this helps. 

​@russell_pfeifer  yes we see packet drops and it is for palo alto firewall. So if we have to increase it how do we determine how much should we keep it?? 

​@rahul7514 I’m not finding any specific SecOps documentation with a recommended buffer increase size. But, the best practice in high throughput environments for syslog is to set the UDP buffer size to 65535 bytes. 

The most relevant documentation comes from sources like RFC 5426, which defines how syslog messages are transmitted over UDP. While it doesn’t explicitly recommend setting the buffer to 65535 bytes, it does state that each UDP datagram must contain a single syslog message, and that message may be truncated if it exceeds the datagram size: https://datatracker.ietf.org/doc/rfc5426/

You could set it to this value but be sure to monitor system memory as larger buffers consume more RAM. 

Hope this helps.