On Thu, 2010-08-19 at 09:29 -0600, syslogng@feystorm.net wrote:
I explained it already :-) When the message comes in over TCP and doesnt end with a newline, syslog-ng assumes the message is going to be continued in another packet. When the cumulative total of all the messages exceeds the max message size it flushes the buffer out and you get all the messages mashed together at once. You can try filing a bug report on bugzilla.balabit.com and request a new flag or something that treats each packet on a tcp source as a separate message, but I'd say the problem is more cisco than syslog-ng since syslog-ng works fine with all other sources except cisco devices :-/ Look at it this way, every thing that sends logs out to tcp expects the receiving syslog daemon to treat a packet without a newline as a message to be continued in a later packet. If syslog-ng changed that default behavior, all these other things that expect the behavior would break.
Also, the tcp stack doesn't inform syslog-ng where packets terminate. It only receives a stream of bytes, and potentially two packets can be concatenated or split when receiving. -- Bazsi