I'm new to syslog-ng OSE. I've been able to follow the samples, and configured an email alert when a syslog message is received.

Now I'm trying to configure an email alert when it has been too long since I've received a particular syslog message.

First, I configured a destination:

                destination d_heartbeat {

                                file("/var/log/heartbeat.log" mark-freq(60) mark-mode(dst-idle) );

                };

Then, I configured a filter and log:

                filter f_heartbeat {

                                match("I am still here" value("MESSAGE) );

                };

                Log { source(s_network); filter(f_heartbeat); destination(d_heartbeat); };

I was pleasantly surprised that this worked. The heartbeat.log file received the message, and 60 seconds later it received the "syslog -- MARK --"

Since I wanted an email alert, I defined a new source, to grab the output of my heartbeat.log as input:

                source s_heartbeat { file(""/var/log/heartbeat.log"); };

                destination d_smtp { smtp(

                                host("10.10.10.25") port(25)

                                from("syslog-ng" "noreply@mydomain.com")

                                to("me" "myemail@mydomain.com")

                                subject("host is down")

                                body("no heartbeat received from the program on host\n")

                ); };

                filter f_timeout { match ("MARK --" value("MESSAGE")); };

                log { source(s_heartbeat); filter(f_timeout); destination(d_smtp); };

This seemed to work when I tested it with a single heartbeat followed by timeout, but I’m still misunderstanding something. If it gets more than one message written to heartbeat.log, then the timeout MARK doesn’t happen.

What am I missing? Is there a better way to accomplish this alert?

Thanks,

Gregg

(running syslog-ng v3.19.1-5 on debian 10)