I'm new to syslog-ng OSE. I've been able to follow the samples, and configured an email alert when a syslog message is received. Now I'm trying to configure an email alert when it has been too long since I've received a particular syslog message. First, I configured a destination: destination d_heartbeat { file("/var/log/heartbeat.log" mark-freq(60) mark-mode(dst-idle) ); }; Then, I configured a filter and log: filter f_heartbeat { match("I am still here" value("MESSAGE) ); }; Log { source(s_network); filter(f_heartbeat); destination(d_heartbeat); }; I was pleasantly surprised that this worked. The heartbeat.log file received the message, and 60 seconds later it received the "syslog -- MARK --" Since I wanted an email alert, I defined a new source, to grab the output of my heartbeat.log as input: source s_heartbeat { file(""/var/log/heartbeat.log"); }; destination d_smtp { smtp( host("10.10.10.25") port(25) from("syslog-ng" "noreply@mydomain.com <mailto:noreply@mydomain.com> ") to("me" "myemail@mydomain.com <mailto:myemail@mydomain.com> ") subject("host is down") body("no heartbeat received from the program on host\n") ); }; filter f_timeout { match ("MARK --" value("MESSAGE")); }; log { source(s_heartbeat); filter(f_timeout); destination(d_smtp); }; This seemed to work when I tested it with a single heartbeat followed by timeout, but I'm still misunderstanding something. If it gets more than one message written to heartbeat.log, then the timeout MARK doesn't happen. What am I missing? Is there a better way to accomplish this alert? Thanks, Gregg (running syslog-ng v3.19.1-5 on debian 10)