Some syslog from Meraki is being truncated

Hi all

I'm hoping someone can point me in the right direction please.

For some unknown reason some meraki logs are loosing the first 6-7 fields.

If I take one sample of a conversation below is what is received by the syslog collector (cat /var/log/syslog) running the OMS agent (Debian 10 - 4.19.0-16-amd64)

May 25 00:41:47 wap-3 1621860107.412815461 WAP_3 flows allow src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443
May 25 00:41:47 rtr-1 1621860107.478281214 RTR_1 flows src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443 pattern: Group Policy Allow
May 25 00:41:47 rtr-1 1621860107.478306049 ip_flow_start src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187
May 25 00:49:37 rtr-1 1621860577.007734835 ip_flow_end src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187

However when I look in the log work space the entries that start "<device name> flows" are missing a bunch of data.  The syslog message seems to start part way through the MAC address

Troubleshooting:

* reinstalled OMS agent

* run the OMS troubleshooter ($ sudo /opt/microsoft/omsagent/bin/troubleshooter) which came back clean

* added max message size to fluentd config

This same syslog collector takes logs from a couple Sophos XG firewalls and there is no issue there, only meraki.

Any pointers on where to start would be appreciated.

Thanks!