[rsyslog-notify] Forum Thread: Re: Rsyslog silently discarding messages - (Mode 'reply')

[noreply at adiscon.com]

User: liupjo 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26839#p26839

Message: 
----------
[quote="dlang":1oq4asda]with syslog over TCP, the delimiter between
messages is a newline, if there are no newlines, rsyslog is required to
believe that there is more data due to arrive as part of this message.
 
When the message size exceeds th youe maxmessagesize, rsyslog will process
maxmessagesize bytes as one message and the remainer of what's arrived will
become the beginning of the next message.

If you can't fix the switch to send messages with a newline, switch back to
using UDP. With UDP the message is required to be in a single packet (which
can be fragmented for delivery across a network with a MTU lower than the
packet size) a newline isn't required.[/quote:1oq4asda]

I can confirm the expected behaviour with UDP, the messages are now
correctly stored on file.
This is definitely an issue with the implementation of TCP syslog on the
Cisco switch side. For the interested users, the bug affects IOS version
12.1(22)EA1, older version seems not to have TCP at all.

The only "strange" behaviour related to rsyslog is during restart. When a
message without a newline is received by rsyslog and the daemon gets
restarted right afterwards, the message doesn't get flushed to disk (except
in the case of a full maxmessagesize) but discarded.
Is this behaviour by design or there is a way to configure rsyslogd not to
discard "partially" received messages?

Thanks for your help so far.