Hi, Right now, there's no other means. Within the code theres a flag to indicate marks, but that does not cross the wire. On Jun 29, 2017 16:01, "Fabien Wernli" <wernli@in2p3.fr> wrote: Hi, What would be the best way to identify a message originating from mark-mode? I don't see any obvious way to do so, apart from matching the message for '-- MARK --'. Here's an example on how it looks: { "YEAR_DAY": "180", "YEAR": "2017", "WEEK_DAY_NAME": "Thursday", "WEEK_DAY_ABBREV": "Thu", "WEEK_DAY": "5", "WEEKDAY": "Thu", "WEEK": "26", "USEC": "233311", "UNIXTIME": "1498744609", "TZOFFSET": "+02:00", "TZ": "+02:00", "TAGS": ".source.#anon-source0", "TAG": "0d", "S_YEAR_DAY": "180", "S_YEAR": "2017", "S_WEEK_DAY_NAME": "Thursday", "S_WEEK_DAY_ABBREV": "Thu", "S_WEEK_DAY": "5", "S_WEEKDAY": "Thu", "S_WEEK": "26", "S_USEC": "233311", "S_UNIXTIME": "1498744609", "S_TZOFFSET": "+02:00", "S_TZ": "+02:00", "S_STAMP": "Jun 29 15:56:49", "S_SEC": "49", "S_MSEC": "233", "S_MONTH_WEEK": "4", "S_MONTH_NAME": "June", "S_MONTH_ABBREV": "Jun", "S_MONTH": "06", "S_MIN": "56", "S_ISODATE": "2017-06-29T15:56:49+02:00", "S_HOUR12": "03", "S_HOUR": "15", "S_FULLDATE": "2017 Jun 29 15:56:49", "S_DAY": "29", "S_DATE": "Jun 29 15:56:49", "S_AMPM": "PM", "SYSUPTIME": "207", "STAMP": "Jun 29 15:56:49", "SOURCEIP": "127.0.0.1", "SOURCE": "#anon-source0", "SEC": "49", "R_YEAR_DAY": "180", "R_YEAR": "2017", "R_WEEK_DAY_NAME": "Thursday", "R_WEEK_DAY_ABBREV": "Thu", "R_WEEK_DAY": "5", "R_WEEKDAY": "Thu", "R_WEEK": "26", "R_USEC": "233311", "R_UNIXTIME": "1498744609", "R_TZOFFSET": "+02:00", "R_TZ": "+02:00", "R_STAMP": "Jun 29 15:56:49", "R_SEC": "49", "R_MSEC": "233", "R_MONTH_WEEK": "4", "R_MONTH_NAME": "June", "R_MONTH_ABBREV": "Jun", "R_MONTH": "06", "R_MIN": "56", "R_ISODATE": "2017-06-29T15:56:49+02:00", "R_HOUR12": "03", "R_HOUR": "15", "R_FULLDATE": "2017 Jun 29 15:56:49", "R_DAY": "29", "R_DATE": "Jun 29 15:56:49", "R_AMPM": "PM", "RUNID": "1", "PRIORITY": "notice", "PRI": "13", "MSG": "dl", "MSEC": "233", "MONTH_WEEK": "4", "MONTH_NAME": "June", "MONTH_ABBREV": "Jun", "MONTH": "06", "MIN": "56", "MESSAGE": "dl", "LOGHOST": "localhost.localdomain", "LEVEL_NUM": "5", "LEVEL": "notice", "ISODATE": "2017-06-29T15:56:49+02:00", "HOUR12": "03", "HOUR": "15", "HOST_FROM": "localhost", "HOSTID": "abb0b0e5", "HOST": "localhost", "FULLDATE": "2017 Jun 29 15:56:49", "FILE_NAME": "/dev/stdin", "FACILITY_NUM": "1", "FACILITY": "user", "DAY": "29", "DATE": "Jun 29 15:56:49", "C_YEAR_DAY": "180", "C_YEAR": "2017", "C_WEEK_DAY_NAME": "Thursday", "C_WEEK_DAY_ABBREV": "Thu", "C_WEEK_DAY": "5", "C_WEEKDAY": "Thu", "C_WEEK": "26", "C_UNIXTIME": "1498744609", "C_TZOFFSET": "-00:00", "C_TZ": "-00:00", "C_STAMP": "Jun 29 13:56:48", "C_SEC": "48", "C_MONTH_WEEK": "4", "C_MONTH_NAME": "June", "C_MONTH_ABBREV": "Jun", "C_MONTH": "06", "C_MIN": "56", "C_ISODATE": "2017-06-29T13:56:48-00:00", "C_HOUR": "13", "C_FULLDATE": "2017 Jun 29 13:56:48", "C_DAY": "29", "C_DATE": "Jun 29 13:56:48", "BSDTAG": "5B", "AMPM": "PM" } ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq