We currently ship a syslog-ng.conf file which opens /dev/log as a stream socket instead of a datagram socket. I would like to propose that we change this to a unix-dgram. This is a very simple change and only requires modifying a single line in the conf file that we ship.

Rationale:
1) Security -- /dev/log used to be a stream socket by default, circa 1999. Unfortunately, I can't get a link to the security issue in question, because the site is currently down, but [1] has a reference to it. glibc (as of libc6) by default will always try to open /dev/log as a DGRAM socket first.
2) Lower overhead -- Balazs Scheidler, the maintainer of syslog-ng wrongly claims in the syslog-ng FAQ [2] that a SOCK_STREAM is "better" because it doesn't lose messages like a SOCK_DGRAM. He corrects himself [3], as the linux implementation of SOCK_DGRAM type unix socket is not actually prone to losing data.
3) Many other major implementations of system loggers (such as rsyslog or klogd) use a DGRAM socket.

[1] http://marc.info/?l=syslog-ng&m=110742184716042&w=2
[2] http://www.campin.net/syslog-ng/faq.html#AEN191
[3] https://lists.balabit.hu/pipermail/syslog-ng/2008-April/011605.html