I am currently sending my Juniper VPN logs to splunk. Periodically I see multiple log entries from the VPN appear as one entry in Splunk. So, I decided to send the logs to rsyslog on a Linux server to look for differences. My assumption was that the Juniper is not adding a return character at the end of the log entry, but that doesn't appear to be the case.

In Splunk, I see this entry:

189 <134>Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.190 <134>Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

However in rsyslog, I see those entries like this:

Aug 27 12:34:09 myjunmag01 Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.
Aug 27 12:34:14 myjunmag01 Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

So it definitely looks like Splunk is doing something to the logs. Questions:

How can I tell splunk to no longer merge those log entries? What is the "189 <134>" and "190 <134>" bits that get added where the front of the line should be?

My props and transforms files are stock. I haven't made any changes there. All logs come in to tcp and udp port 514.

Thanks,
Scott