Hello, The MARK messages are not originated from the source, but rather they are a destination specific option. A destination could send those as a kinda heartbeat. Even without configuring any source those messages should be there. With the pipeline there the filter could not drop messages originating in the destination. But hey you should be able to disable MARK messages. -- kokan ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com> Sent: Thursday, March 19, 2020 9:42:13 PM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] MARK messages and filtering CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hi, I have the following part of syslog configuration: destination d_localfile_kernel { file("/var/log/kernel.log" flags(syslog-protocol) ); }; filter f_localfile_kernel_kern { facility(kern) and level(info .. emerg); }; filter f_localfile_kernel { filter(f_localfile_kernel_kern); }; log { source(s_src); filter(f_localfile_kernel); destination(d_localfile_kernel); flags(flow-control); }; And I see in my kernel.log file: <46>1 2020-03-18T18:35:28+00:00 localhost - - - [meta sequenceId="1"] -- MARK -- <46>1 2020-03-18T18:55:28+00:00 localhost - - - [meta sequenceId="2"] -- MARK -- <46>1 2020-03-18T19:15:28+00:00 localhost - - - [meta sequenceId="3"] -- MARK -- <46>1 2020-03-18T19:35:28+00:00 localhost - - - [meta sequenceId="4"] -- MARK -- <46>1 2020-03-18T19:55:28+00:00 localhost - - - [meta sequenceId="5"] -- MARK -- <46>1 2020-03-18T20:15:28+00:00 localhost - - - [meta sequenceId="6"] -- MARK -- <46>1 2020-03-18T20:35:28+00:00 localhost - - - [meta sequenceId="7"] -- MARK -- <46>1 2020-03-18T20:55:28+00:00 localhost - - - [meta sequenceId="8"] -- MARK -- <46>1 2020-03-18T21:15:28+00:00 localhost - - - [meta sequenceId="9"] -- MARK -- I was not expecting to see syslog facility messages coming out, since I am filtering by kernel facility. Is this expected behavior? Thanks & regards, Alex