<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
Hello, <br>
<br>
</div>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
The MARK messages are not originated from the source, but rather they are a destination specific option. A destination could send those as a kinda heartbeat.
<br>
</div>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
Even without configuring any source those messages should be there. <br>
<br>
</div>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
With the pipeline there the filter could not drop messages originating in the destination. But hey you should be able to disable MARK messages.
<br>
<br>
</div>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
-- <br>
</div>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
kokan <br>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com><br>
<b>Sent:</b> Thursday, March 19, 2020 9:42:13 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] MARK messages and filtering</font>
<div> </div>
</div>
<div>
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>I have the following part of syslog configuration:</div>
<div><br>
</div>
<div><span style="font-family:monospace">destination d_localfile_kernel {<br>
file("/var/log/kernel.log"<br>
flags(syslog-protocol)<br>
);<br>
};<br>
filter f_localfile_kernel_kern {<br>
facility(kern) and level(info .. emerg);<br>
};<br>
filter f_localfile_kernel {<br>
filter(f_localfile_kernel_kern); };<br>
log {<br>
source(s_src);<br>
filter(f_localfile_kernel);<br>
destination(d_localfile_kernel);<br>
flags(flow-control);<br>
};</span></div>
<div><br>
</div>
<div>And I see in my kernel.log file:</div>
<div>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T18:35:28+00:00 localhost - - - [meta sequenceId="1"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T18:55:28+00:00 localhost - - - [meta sequenceId="2"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T19:15:28+00:00 localhost - - - [meta sequenceId="3"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T19:35:28+00:00 localhost - - - [meta sequenceId="4"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T19:55:28+00:00 localhost - - - [meta sequenceId="5"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T20:15:28+00:00 localhost - - - [meta sequenceId="6"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T20:35:28+00:00 localhost - - - [meta sequenceId="7"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T20:55:28+00:00 localhost - - - [meta sequenceId="8"] -- MARK --<span></span></span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><46>1 2020-03-18T21:15:28+00:00 localhost - - - [meta sequenceId="9"] -- MARK --</span></p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<br>
</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
I was not expecting to see syslog facility messages coming out, since I am filtering by kernel facility.</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<br>
</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
Is this expected behavior?</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<br>
</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
Thanks & regards,</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
Alex<br>
</p>
<p class="x_MsoNormal" style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10pt; font-family:Consolas"><span></span></span></p>
</div>
</div>
</div>
</div>
</body>
</html>