Hi Laci,
Thanks for your advice.
I think that the behavior you described for mark-freq is exactly what I'm trying to accomplish, but it doesn't seem to work. There must be some detail that I'm missing.
In my test, I've set mark-freq to 60 seconds for the destination heartbeat.log. When I watch (tail) heartbeat.log, I'm seeing this type of results:
Oct 31 08:44:02 192.168.35.1 ...I am still here...
Oct 31 08:45:03 syslog -- MARK --
Oct 31 08:45:19 192.168.35.1 ...I am still here...
Oct 31 08:46:19 syslog -- MARK –
Oct 31 08:46:32 192.168.35.1 ...I am still here...
Oct 31 08:46:40 192.168.35.1 ...I am still here...
Oct 31 09:43:46 192.168.35.1 ...I am still here...
As you can see, the destination is not busy. Shouldn’t a MARK have happened at 08:47:40?
The “internal” mark-mode looked a bit complicated, but I’ll read it again.
Thanks again,
Gregg
-----Original Message-----
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Laszlo Szemere (lszemere)
Sent: Thursday, October 31, 2019 09:30
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng] email alert on timeout
Hello Gregg,
I think you are almost on the right track. A little addition to MARK messages:
Syslog-ng's destinations will ONLY emit a mark message IF otherwise there will be no message at all from that destination, during a "mark-freq" time period.
So if there is a message on the Destination, it will reset the "mark-freq" timer, and the interval starts again without sending any mark message. So during a normal work of a busy log path there should be no mark messages at all.
One more thing: I don't know if it is intentional from you, but you can spare the whole "mark" file logic from your configuration in certain cases, if you use the "internal" mark-mode. Unfortunately I can not give you a direct link, but in the "global options" section of the administration guide: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/59#TOPIC-1298095 there is a chapter about "mark-mode"s.
Best regards,
Laci