Thanks Bazsi, Just as a final follow-up to this, we did end up using 12.4(24)T code and the problem did go away. IOS 12.4(24)T also has the \n delimiter enabled by default when you enable tcp logging. Thanks Matt! ______________________________________________________________ Clayton Dukes ______________________________________________________________ On Thu, Sep 2, 2010 at 11:17 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Thu, 2010-08-19 at 09:29 -0600, syslogng@feystorm.net wrote:
I explained it already :-) When the message comes in over TCP and doesnt end with a newline, syslog-ng assumes the message is going to be continued in another packet. When the cumulative total of all the messages exceeds the max message size it flushes the buffer out and you get all the messages mashed together at once. You can try filing a bug report on bugzilla.balabit.com and request a new flag or something that treats each packet on a tcp source as a separate message, but I'd say the problem is more cisco than syslog-ng since syslog-ng works fine with all other sources except cisco devices :-/ Look at it this way, every thing that sends logs out to tcp expects the receiving syslog daemon to treat a packet without a newline as a message to be continued in a later packet. If syslog-ng changed that default behavior, all these other things that expect the behavior would break.
Also, the tcp stack doesn't inform syslog-ng where packets terminate. It only receives a stream of bytes, and potentially two packets can be concatenated or split when receiving.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html