<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi Gregg,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I tried your configuration, and it works for me.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
However, while experimenting, I noticed that mark message timer only starts when there is at least one message received. This is probably due that without any message, syslog-ng does not create the file writer. File writers are created on demand, because filename
can be template, so syslog-ng might not know the file name without the message.<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
This is what might interfere with your test? To workaround that, you might use example-msg-generator. From 3.20, there is a num() option that limits the number of messages generated. I see you are using 3.19, so unfortunately that means an upgrade.<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>@version: 3.24<br>
</span>
<div><br>
</div>
<div>log {<br>
</div>
<div># source { example-msg-generator(freq(1) template("I am here\n") num(1)); };<br>
</div>
<div> source { network(port(5555)); };<br>
</div>
<div> destination { file(/tmp/heartbeat.txt mark-freq(5) mark-mode(dst-idle)); };<br>
</div>
<div>};<br>
</div>
<div><br>
</div>
<div>log {<br>
</div>
<div> source { file(/tmp/heartbeat.txt); };<br>
</div>
<div> filter { match ("MARK --" value("MESSAGE")); };<br>
</div>
<div> destination { file(/dev/stdout); };<br>
</div>
<span>};</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>results in</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><span>$ bash -c "sleep 2; ../bin/loggen -S localhost -n 1 5555; sleep 1; ../bin/loggen -S localhost -n 1 5555"&<br>
</span>
<div>[1] 21679<br>
</div>
<div>$ ./syslog-ng -Fe -f ../etc/tmp.conf <br>
</div>
<div>[2019-10-31T14:30:20.457194] Accepting connections; addr='AF_INET(0.0.0.0:5555)'<br>
</div>
<div>[2019-10-31T14:30:20.457610] syslog-ng starting up; version='3.24.1.59.g2ab166d'<br>
</div>
<div>[2019-10-31T14:30:21.162964] Syslog connection accepted; fd='15', client='AF_INET(127.0.0.1:53860)', local='AF_INET(0.0.0.0:5555)'<br>
</div>
<div>[2019-10-31T14:30:21.163379] Syslog connection closed; fd='15', client='AF_INET(127.0.0.1:53860)', local='AF_INET(0.0.0.0:5555)'<br>
</div>
<div>average rate = 2.00 msg/sec, count=1, time=0.500232, (average) msg size=256, bandwidth=0.50 kB/sec<br>
</div>
<div>[2019-10-31T14:30:22.672276] Syslog connection accepted; fd='15', client='AF_INET(127.0.0.1:53862)', local='AF_INET(0.0.0.0:5555)'<br>
</div>
<div>[2019-10-31T14:30:22.672501] Syslog connection closed; fd='15', client='AF_INET(127.0.0.1:53862)', local='AF_INET(0.0.0.0:5555)'<br>
</div>
<div>average rate = 2.00 msg/sec, count=1, time=0.500194, (average) msg size=256, bandwidth=0.50 kB/sec<br>
</div>
<div>Oct 31 14:30:27 furiel -- MARK --<br>
</div>
<div>Oct 31 14:30:32 furiel -- MARK --<br>
</div>
<div>Oct 31 14:30:37 furiel -- MARK --<br>
</div>
<div>Oct 31 14:30:42 furiel -- MARK --</div>
<div><br>
</div>
<span></span>Br,</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span> Antal<br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span></span><br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Laszlo Szemere (lszemere) <Laszlo.Szemere@oneidentity.com><br>
<b>Sent:</b> Thursday, October 31, 2019 14:30<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] email alert on timeout</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hello Gregg,<br>
<br>
I think you are almost on the right track. A little addition to MARK messages:<br>
Syslog-ng's destinations will ONLY emit a mark message IF otherwise there will be no message at all from that destination, during a "mark-freq" time period.<br>
So if there is a message on the Destination, it will reset the "mark-freq" timer, and the interval starts again without sending any mark message. So during a normal work of a busy log path there should be no mark messages at all.<br>
<br>
One more thing: I don't know if it is intentional from you, but you can spare the whole "mark" file logic from your configuration in certain cases, if you use the "internal" mark-mode. Unfortunately I can not give you a direct link, but in the "global options"
section of the administration guide: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.24%2Fadministration-guide%2F59%23TOPIC-1298095&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=pXsr8zVit8T7SqYm9QRftxv1iRYYzj4V8le17r2FPqM%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.24%2Fadministration-guide%2F59%23TOPIC-1298095&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=pXsr8zVit8T7SqYm9QRftxv1iRYYzj4V8le17r2FPqM%3D&reserved=0</a>
there is a chapter about "mark-mode"s.<br>
<br>
Best regards,<br>
Laci<br>
<br>
________________________________________<br>
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Gregg Nicholas <gnichola@berriencounty.org><br>
Sent: Thursday, October 31, 2019 13:56<br>
To: syslog-ng@lists.balabit.hu<br>
Subject: [syslog-ng] email alert on timeout<br>
<br>
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
I'm new to syslog-ng OSE. I've been able to follow the samples, and configured an email alert when a syslog message is received.<br>
<br>
<br>
<br>
Now I'm trying to configure an email alert when it has been too long since I've received a particular syslog message.<br>
<br>
<br>
<br>
First, I configured a destination:<br>
<br>
destination d_heartbeat {<br>
<br>
file("/var/log/heartbeat.log" mark-freq(60) mark-mode(dst-idle) );<br>
<br>
};<br>
<br>
<br>
<br>
Then, I configured a filter and log:<br>
<br>
filter f_heartbeat {<br>
<br>
match("I am still here" value("MESSAGE) );<br>
<br>
};<br>
<br>
Log { source(s_network); filter(f_heartbeat); destination(d_heartbeat); };<br>
<br>
<br>
<br>
I was pleasantly surprised that this worked. The heartbeat.log file received the message, and 60 seconds later it received the "syslog -- MARK --"<br>
<br>
<br>
<br>
Since I wanted an email alert, I defined a new source, to grab the output of my heartbeat.log as input:<br>
<br>
<br>
<br>
source s_heartbeat { file(""/var/log/heartbeat.log"); };<br>
<br>
destination d_smtp { smtp(<br>
<br>
host("10.10.10.25") port(25)<br>
<br>
from("syslog-ng" "noreply@mydomain.com<mailto:noreply@mydomain.com>")<br>
<br>
to("me" "myemail@mydomain.com<mailto:myemail@mydomain.com>")<br>
<br>
subject("host is down")<br>
<br>
body("no heartbeat received from the program on host\n")<br>
<br>
); };<br>
<br>
filter f_timeout { match ("MARK --" value("MESSAGE")); };<br>
<br>
log { source(s_heartbeat); filter(f_timeout); destination(d_smtp); };<br>
<br>
<br>
<br>
This seemed to work when I tested it with a single heartbeat followed by timeout, but I’m still misunderstanding something. If it gets more than one message written to heartbeat.log, then the timeout MARK doesn’t happen.<br>
<br>
<br>
<br>
What am I missing? Is there a better way to accomplish this alert?<br>
<br>
<br>
<br>
Thanks,<br>
<br>
Gregg<br>
<br>
(running syslog-ng v3.19.1-5 on debian 10)<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=KZ%2BQryJh8SevPwe3V2dup%2Bgig43DQjDv9vyIGMM%2FzrQ%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=KZ%2BQryJh8SevPwe3V2dup%2Bgig43DQjDv9vyIGMM%2FzrQ%3D&reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=TlzOnS39Oy6hEnKT8PzskVbVLW4E2FFeC%2FXhYxOfTaA%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=TlzOnS39Oy6hEnKT8PzskVbVLW4E2FFeC%2FXhYxOfTaA%3D&reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=DIH1%2F789kvu0zotC778v6%2B%2BRv70nN1R7%2B7PvjBUCbvM%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C49a647056f144ad1387e08d75e068066%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637081254344960778&sdata=DIH1%2F789kvu0zotC778v6%2B%2BRv70nN1R7%2B7PvjBUCbvM%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>