I am having some trouble understanding what constitutes conditions under which MARK messages will appear in log files. I recently brought up a log server on a fairly quiet network (less than one message/hour) and I was expecting to see at least one MARK message in my logs every five minutes, since I have mark_freq set to 300. However, the logs just sit there idle, sometimes for hours at a time, with no mark messages appearing at all. Perhaps I'm missing something in the log { } statement? The documentation is fairly sparse about what is required to enable the MARK stuff... I've attached my syslog-ng.conf -- any ideas? -- Paul Krizak 5900 E. Ben White Blvd. MS 625 Advanced Micro Devices Austin, TX 78741 Linux/Unix Systems Engineering Phone: (512) 602-8775 Silicon Design Division Cell: (512) 791-0686 # $Id: syslog-ng.conf,v 1.37 2007/01/19 17:34:51 skaven Exp $ ################################################ # OPTIONS # See http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index... for reference ################################################ options { #time_reopen(); # The time to wait before a killed/died connection is reestablished #time_reap(); # The time to wait before an idle destination file is closed. sync(0); # The number of lines buffered before written to file: we want immediate output to our destinations mark_freq(300); # The number of seconds between two MARK lines. stats_freq(60); # The number of seconds between two STATS. (number of dropped messages) log_fifo_size(10000); # The number of lines fitting to the output queue: we want to be able to handle a flood chain_hostnames(no); # Enable or disable the chained hostname format. keep_hostname(no); # Enable or disable hostname rewriting. We rewrite hostnames because our systems send all their names as IPs. #check_hostname(); # Enable or disable whether the hostname contains valid characters. #bad_hostname(); # A regexp which matches hostnames which should not be taken as such. owner("root"); group("root"); perm(0644); create_dirs(yes); dir_owner("root"); dir_group("root"); dir_perm(0755); use_dns(yes) ; # Enable or disable DNS usage. **syslog-ng blocks on DNS queries** dns_cache(yes); # Enable or disable DNS cache usage. (not implemented) dns_cache_size(10000); # Number of hostnames in the DNS cache: lets try to keep all hosts in the cache (not implemented) dns_cache_expire(3600); # Number of seconds while a successful lookup is cached: 1 hr seems reasonable (not implemented) dns_cache_expire_failed(30); # Number of seconds while a failed lookup is cached: 30 seconds seems reasonable (not implemented) #log_msg_size(); # Maximum length of message in bytes. use_fqdn(no); # Add Fully Qualified Domain Name instead of short hostname. }; ################################################ # GENERIC SOURCES # See http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index... for reference # Note that all sources get attached to rule engines. ################################################ # Syslog inputs source s_external_syslog { udp(port(514)); }; # Local syslog source s_internal_syslog { unix-dgram("/dev/log"); file("/proc/kmsg" log_prefix("kernel:")); }; # Sylog-ng's internal log source s_syslog-ng { internal(); }; # This template reformats incoming messages for use in human-readable logfiles # Don't rename this template! template t_human_readable { template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n"); template-escape(no); }; # The big Y/M/D/host-messages tree destination d_host_messages { file( "/var/log/logs/$R_YEAR/$R_MONTH/$R_DAY/$HOST-messages.log" template(t_human_readable) create_dirs(yes) owner("root") group("root") perm(0644) dir_perm(0755) ); }; # The big monolithic syslog file destination d_big_messages { file ( "/var/log/logs/messages.log" template(t_human_readable) owner("root") group("root") perm(0644) ); }; # A named pipe that programs can read from destination d_syslog_pipe { pipe ( "/var/spool/vtec/syslog_pipe" template(t_human_readable) owner("root") group("root") perm(0644) ); }; # The "normal" syslog file (for local syslog) destination d_internal_syslog { file ( "/var/log/messages" template(t_human_readable) owner("root") group("root") perm(0644) ); }; # A syslog-ng logfile destination d_syslog-ng-log { file( "/var/log/syslog-ng.log" owner("root") group("root") perm(0644) ); }; # log syslog-ng's log to a special logfile log { source(s_syslog-ng); destination(d_syslog-ng-log); }; # log syslog messages to the host-messages tree and to the big monolithic messages file log { source(s_external_syslog); source(s_internal_syslog); destination(d_big_messages); destination(d_host_messages); destination(d_syslog_pipe); }; # log local syslog stuff to /var/log/messages log { source(s_internal_syslog); destination(d_internal_syslog); };