Mangled/merged syslog messages via UDP and RFC5424

[cipriancraciun]

I've built the latest v1.4 tag (on an OpenSUSE Leap 15.5), and I've tried to use the following configuration:

[Network]
Address = 172...:514
Protocol = udp
LogFormat = rfc5424
UseSysLogMsgId = yes
UseSysLogStructuredData = yes
SendBuffer = 65536

On the remote syslog target, I observe that some of the received syslog messages are mangled in non-expected ways:

• by "payload" I mean a syslog packet containing one single message (line);
• neither is one payload truncated at the beginning or at the end;
• neither are two payloads concatenated;
• it seems that part of the beginning of a payload is followed by some data from the middle of another payload; (the parser I'm using complains that the application name is missing or improperly formatted, but from visual inspection it is clear that there are two messages somehow merged together;)

This happens mainly when the second packet is a large one, larger than the MTU, but smaller than 16K (or so).

(If I replace systemd-netlogd with a simple socat -u unix-recv:/run/systemd/journal/syslog udp:172...:514, the issue seems to disappear. Granted, that uses RFC-3164, and doesn't do any additional processing.)

(This issue is related with https://github.com/systemd/systemd/issues/32852)

[cipriancraciun]

Sorry for the false alarm. The issue was in the code I was using (I retained the received buffer longer than I was supposed to, and thus it got overwritten).