That's a lot of syslogs. Are you using LEM for syslog retention? For extremely large amount of syslog, I have seen people send the syslog to Kiwi Syslog Server for syslog retention. Then send only the important syslogs over to LEM (or Orion). This way the company gets the 2 years of syslog retention they require while leveraging LEM for rules.
I have also seen another layer to this, which is a flowreplicator. This will allow the device(s) to send the flow (syslog, traps, netflow) to the replicator, then the replicator will send it out to whoever.
