The syslog-ng could not support ---MARK----, right? I used "-----STATS-------" instead of "------MARK-------". Lily -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, March 19, 2007 10:45 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] map "mark.info" in syslog.conf to syslog-ng.conf On Mon, 2007-03-19 at 10:35 -0400, Valdis.Kletnieks@vt.edu wrote:
On Mon, 19 Mar 2007 10:37:06 BST, Balazs Scheidler said:
I don't know what the 'mark' facility is for, in fact I've never seen it referenced.
It's a pseudo-facility in the old syslog code, for routing the output of the '-m' flag:
-m interval The syslogd logs a mark timestamp regularly. The default inter- val between two -- MARK -- lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely.
So if you coded 'mark.debug /var/log/messages' and '-m 5', every 5 minutes you'd get a --MARK-- line in /var/log/messages. Pretty handy for low-activity systems, so you can tell the difference between "system idle and not generating log activy for 6 1/2 hours" and "system too wedged to syslog anything for 6 1/2 hours".
I see, then the mark facility filter should be converted to a match() filter that looks for MARK in the message payload. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html