Problems with the "cef-event-delimiter" property in logging action

RouterOS General
1

__****Hello,

My router firmware (current):): version: 7.18.2 (stable)

Problem 1:
Description of the “cef-event-delimiter” property from the official website (https://help.mikrotik.com/docs/spaces/ROS/pages/328134/Command+Line+Interface):
cef-event-delimiter (string; Default: \r\n)

It is not true that the default value of the separator is \r\n:

  • if the “CEF event delimiter” field is not specified in winbox in the “Log Action …” window (the field is gray), a logging action is created:

[admin@MikroTik] > /system logging action print
4 name=“zdalnelogi1” target=remote remote=172.29.19.60 remote-port=514 src-address=172.29.19.1 remote-log-format=cef remote-protocol=tcp cef-event-delimiter=“” syslog-time-format=iso8601 syslog-facility=daemon syslog-severity=auto

  • messages with CEF logs sent from mikrotik do not contain any delimiter and look like this (two messages below):

2025-05-13T13:55:20.701+0200 MikroTik CEF:0|MikroTik|RB4011iGS+|7.18.2 (stable)|61|interface,info|Low|dvchost=MikroTik dvc=172.29.19.1 msg=ether4 link up (speed 1G, full > duplex2025> -05-13T13:55:20.701+0200 MikroTik CEF:0|MikroTik|RB4011iGS+|7.18.2 (stable)|61|interface,info|Low|dvchost=MikroTik dvc=172.29.19.1 msg=ether4 link up (speed 1G, full duplex)

  • I bolded above the end of the first message and the beginning of the second one - there is no delimiter between messages


    Problem 2:
    In the winbox it is not possible to define \n in the “CEF event delimiter” field in the “Log Action …” window - delimiter “\n” (line feed code), entered into this field causes using a separator consisting of two characters \ and n

I noticed that the “\n” separator can be defined in the terminal using, for example, the command:

/system logging action set 4 cef-event-delimiter=“\n”

and then mikrotik starts using the expected separator “\n” (hexadecimal one byte $0A) in CEF format logs

However, then in the “Log Action …” window in winbox, the “CEF event delimiter” field becomes active, but has empty content (no display of the defined separator “\n”),


Problem 3:
In the case of using the TCP protocol to send logs from Mikrotik, the lack of delimiter at the end of the message causes:

  • the remote logging server (I checked rsyslog and syslog-ng on “debian 12” system) not to immediately process the received messages and buffers them

  • processing messages in remote syslog server occurs only after restarting Mikrotik: then the logging connection is closed and is generated one multi-line-message containing all previously buffered messages

  • the above problem does not exist in the case of UDP protocol for sending logs, however then messages generated during lack of connection to syslog server (e.g. during mikrotik restart) will not be registered by syslog server

My request: can you add in “/system logging action” new property “delimiter” also for the other two log formats (“default” and “syslog”), which will allow correct transfer of logs to remote syslog server (e.g. rsyslog) in case of using TCP protocol?

thank you and best regards