We are running syslog-ng, open source edition, version 3.22.1, on RedHat Enterprise version 7.8. Among many other data sources, we receive syslog data from an F5 device that acts as a VPN server. One type of message that it sends us is consistently not making it into the log (though everything else, to my knowledge, does.) I wonder if anyone sees something wrong with the message that would prevent its being parsed/stored. The message (reconstructed from a packet capture, identification fields redacted or changed): <141>1 2020-08-04T08:10:58.769127-05:00 <fqdn here> apmd 12374 01490113:5: [F5@12276 hostname="fqdn" errdefs_msgno="01490113:5:" partition_name="Common" session_id="1c95e1e7" Access_Profile="/Common/blah" Partition="Common" Session_Id="1c95e1e6" Session_Variable_Name="session.machine_info.last.net_adapter.list.[0].mac_address" Session_Variable_Value="3C:D9:2B:33:9A:8E"] /Common/<blah>:Common:1c95e1e6: session.machine_info.last.net_adapter.list.[0].mac_address is 3C:D9:2B:33:9A:8E I inserted the line breaks to help Outlook. Note that although the message appears to be RFC5424-compliant I have discovered that it does not have whatever magic headers let syslog-ng handle it as structured data transparently. As a result, I cannot use the "syslog" transport but have to use the generic "network" transport and then use flags "syslog-protocol". This works OK for everything else from this source. The message doesn't appear in our syslog logs at all. It's consistent. The relevant parts of the syslog-ng configuration look like: options { ts_format(iso); use_dns(yes); dns_cache(1000); dns_cache_expire(30); use_fqdn(yes); keep_hostname(no); chain-hostnames(no); keep_timestamp(yes); stats_level(1); stats_freq(3600); normalize_hostnames(yes); log_fifo_size(10000); flush_lines(1000); log-msg-size(65536); trim-large-messages(yes); threaded(yes); time_reap(10); create_dirs(yes); dir_group(esmapp); dir_owner(esmapp); group(esmapp); owner(esmapp); perm(0644); }; source s_F5VPN_source { network( transport("tcp") ip(0.0.0.0) port(11000) keep-timestamp(yes) flags(no-multi-line,syslog-protocol) max-connections(50) log_iw_size(10000) log-fetch-limit(20) ); }; filter f_F5VPN_client { netmask(<blah>) and facility(local1); }; destination d_F5VPN_client { file( "/home/syslog/F5VPN_client.log" ts_format(rfc3164) ); }; log { source(s_F5VPN_source); filter(f_F5VPN_client); destination(d_F5VPN_client); flags(flow-control); }; Regards, Jon Jon Wilson | Principal System Engineer, IT Service Management | Information Technology | Vanderbilt University Medical Center jonathan.wilson@vumc.org<mailto:jonathan.wilson@vumc.org> | phone: 615-440-7895 | fax: 615-323-2181