Thanks Bazsi,<div>Just as a final follow-up to this, we did end up using <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">12.4(24)T code and the problem did go away. IOS </span><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">12.4(24)T also has the \n delimiter enabled by default when you enable tcp logging.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">Thanks Matt!</span></div>
<div>______________________________________________________________ <br><br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Thu, Sep 2, 2010 at 11:17 AM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Thu, 2010-08-19 at 09:29 -0600, <a href="mailto:syslogng@feystorm.net">syslogng@feystorm.net</a> wrote:<br>
> I explained it already :-)<br>
> When the message comes in over TCP and doesnt end with a newline,<br>
> syslog-ng assumes the message is going to be continued in another<br>
> packet. When the cumulative total of all the messages exceeds the max<br>
> message size it flushes the buffer out and you get all the messages<br>
> mashed together at once.<br>
> You can try filing a bug report on <a href="http://bugzilla.balabit.com" target="_blank">bugzilla.balabit.com</a> and request a<br>
> new flag or something that treats each packet on a tcp source as a<br>
> separate message, but I'd say the problem is more cisco than syslog-ng<br>
> since syslog-ng works fine with all other sources except cisco<br>
> devices :-/<br>
> Look at it this way, every thing that sends logs out to tcp expects<br>
> the receiving syslog daemon to treat a packet without a newline as a<br>
> message to be continued in a later packet. If syslog-ng changed that<br>
> default behavior, all these other things that expect the behavior<br>
> would break.<br>
<br>
</div>Also, the tcp stack doesn't inform syslog-ng where packets terminate. It<br>
only receives a stream of bytes, and potentially two packets can be<br>
concatenated or split when receiving.<br>
<font color="#888888"><br>
--<br>
Bazsi<br>
</font><div><div></div><div class="h5"><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br></div>