I would like to have a syslog standby service that would start only when the collector was stopped for device updates and software upgrades (or any other reason for that matter). The stand-in would write to disk files until 1)the collector service restarted and killed the standin OR 2)a certain disk threshold was met. This would support preservation of UDP event data while we take the realtime components out of service. A customized filereader would be developed to facilitate the digestion of the files once the system came up again.
I've given this some thought in the past. This could be accomplished with a simple syslog aggregator, like Kiwi or Syslog-NG. You'd simply need a decent server with lots of disk space (more than one depending on how many event sources coming in). These can be configured to store and forward events to the collector(s). You have to muck with the headers, but this is a documented and supported feature (removing relay headers). The only downside, if you monitor a large number of syslog devices, is you need to reconfigure all of those devices to point to the new syslog server. Other than that, I can't see why it wouldn't work.