We are using syslog-ng in a test lab environment to get syslog messages out of the testlab into another environment. So several systems are forwarding messages to a bastion host of sorts, which then forwards by traversing a firewall to another host. The messages have to traverse a firewall (NAT). We decided to use TCP because it is a bit easier to get past the security guys. We have noticed behavior which is the nature of TCP. Of several (lines) of a syslog message ending up in the same packet (using a sniffer). Although interesting, this is not the problem. We have noticed that some messages are getting lost. So the questions. a) Can we change something to have one message per packet with syslog-ng settings. b) Has anyone else seen this behavior (or is anyone even using TCP)? c) Any other clues as to why a TCP session that is stable would drop packets?