Grafana Alloy TCP logs being merged into one single log

Grafana Alloy
1

I made a setup for collecting logs from network devices, receiving by UDP. I want to migrate it all to TCP, but a few tests didn’t succeed. For some reason, distinct log lines are being merged into one, this is an incoming log example I caught in live debugging:

[IN]: timestamp: 2026-02-03T17:01:28Z, entry: %%01INFO/3/SUPPRESS_LOGINFO(s):CID=0x80600412;Log SNMP/SNMP_AUTHEN_FAILED is suppressed 1 in last 60 seconds, Source=0x80d50414.<131>Feb 3 17:01:37 [CENSORED-HOSTNAME] %%01SNMP/3/SNMP_AUTHEN_FAILED(s):CID=0x80d50414;Failed to login through SNMP. (Version=v2c, UserName=, Ip=[CENSORED-IP], VpnName=public, RequestID=974531177, PduType=Get, Reason=ACL denied)<131>Feb 3 17:02:41 [CENSORED-HOSTNAME] %%01SNMP/3/SNMP_AUTHEN_FAILED(s):CID=0x80d50414;Failed to login through SNMP. (Version=v2c, UserName=, Ip=[CENSORED-IP], VpnName=public, RequestID=1059443702, PduType=Get, Reason=ACL denied)<133>Feb 3 17:03:15 [CENSORED-HOSTNAME] %%01CLI/5/LOGIN(s):CID=0x80ca2713;The user succeeded in logging in to VTY0. (UserType=SSH, UserName=[CENSORED-USER], AuthenticationMethod=“Local-user”, RemoteIp=[CENSORED-IP], VpnName=public, LocalIp=[CENSORED-IP])<133>Feb 3 17:03:15 [CENSORED-HOSTNAME] %%01CM/5/ADMIN_USER_ACCESSRESULT(s):Service=nac_admin0;USER_INFO_AUTHENTICATION. (DEVICEMAC:[CENSORED-MAC];DEVICENAME:[CENSORED-HOSTNAME];USER:[CENSORED-USER];MAC:-;IPADDRESS:[CENSORED-IP];TIME:2026-02-03 14:03:15;ZONE:UTC-03:00;DAYLIGHT:false;ERRCODE:0;RESULT:success;CIB ID:16393;ACCESS TYPE:SSH;RDSIP:-;Portal TYPE:-;VPNNAME:public;AUTHID:4294967295;AuthFailType:None;AUTHPROTOCOL:PAP;)<133>Feb 3 17:03:15 [CENSORED-HOSTNAME] %%01SSH/5/SSH_USER_LOGIN(s):CID=0x80937541;The SSH user succeeded in logging in. (ServiceType=stelnet, UserName=[CENSORED-USER], UserAddress=[CENSORED-IP], LocalAddress=[CENSORED-IP], VPNInstanceName=public)<133>Feb 3 17:03:20 [CENSORED-HOSTNAME] %%01CLI/5/LOGOUT(s):CID=0x80ca2713;The user succeeded in logging out of VTY0. (UserType=SSH, UserName=[CENSORED-USER], RemoteIp=[CENSORED-IP], VpnName=public, Reason=the terminal was closed, LocalIp=[CENSORED-IP])<133>Feb 3 17:03:20 [CENSORED-HOSTNAME] %%01CM/5/ADMIN_USER_OFFLINERESULT(s):Service=nac_admin0;USER_INFO_OFFLINE. (DEVICEMAC:[CENSORED-MAC];DEVICENAME:[CENSORED-HOSTNAME];USER:[CENSORED-USER];MAC:-;IPADDRESS:[CENSORED-IP];TIME:2026-02-03 14:03:20;ZONE:UTC-03:00;DAYLIGHT:false;ERRCODE:20;RESULT:Connect check fail;EXTENDINFO:NULL;CIB ID:16393;ACCESS TYPE:SSH;RDSIP:-;Portal TYPE:-;VPNNAME:public;AUTHID:4294967295;AUTHPROTOCOL:PAP;)<133>Feb 3 17:03:20 [CENSORED-HOSTNAME] %%01SSH/5/SSH_USER_LOGOUT(s):CID=0x80937541;The SSH user logged out. (ServiceType=stelnet, LogoutReason=Client requested disconnection, UserName=[CENSORED-USER], UserAddress=[CENSORED-IP], LocalAddress=[CENSORED-IP], VPNInstanceName=public), labels: {app_name=“%%01INFO/3/SUPPRESS_LOGINFO(s)”, connection_ip_address=“[CENSORED-IP]”, facility=“local0”, hostname=“[CENSORED-HOSTNAME]”, protocol=“tcp”, severity=“error”}, structured_metadata: {}

This is a single log that has 9 log lines inside. I’ve already tried to tweak the idle_timeout settings, making it a little more aggressive, such as 10 seconds. I have also reproduced this with Mikrotik devices and Huawei devices sending logs.

Checking a packet capture, i can see that the switch sends it this way: multiple log lines merged into one TCP packet. Is there any configuration that may differentiate it for breaking into multiple records instead of only one?

2

As far as I know Allow does not support splitting one logline into multiple.

3

Thanks. Looking forward for an update that solves it, would be very helpful because there is no control over how a switch or router sends the logs (a single tcp packet vs multiple packets).

Did some testings in a Ubuntu vm sending logs by rsyslog in tcp and it really sends one packet for each log line, not merged.