map "mark.info" in syslog.conf to syslog-ng.conf
Hi , I tried to map the syslog.conf to syslog-ng.conf via syslog2ng: mark.info It is mapped to filter f_1 { facility(mark) and level(info..emerg);} It could not pass the verification because facility(mark)is not correct. How to fix it? Thanks, Lily
On Thu, 2007-03-15 at 11:36 -0400, Lily Feng wrote:
Hi ,
I tried to map the syslog.conf to syslog-ng.conf via syslog2ng: mark.info It is mapped to filter f_1 { facility(mark) and level(info..emerg);} It could not pass the verification because facility(mark)is not correct. How to fix it?
I don't know what the 'mark' facility is for, in fact I've never seen it referenced. The set of facitilities syslog-ng knows depends on the system it was compiled on, but you can use custom facilities if you know their 'numerical code'. The list of commonly defined facilities can be found in RFC3164 (section 4.1.1), that RFC might be worth a read if you are getting involved in syslog. (and checking out www.syslog.org and www.loganalysis.org websites) -- Bazsi
On Mon, 19 Mar 2007 10:37:06 BST, Balazs Scheidler said:
I don't know what the 'mark' facility is for, in fact I've never seen it referenced.
It's a pseudo-facility in the old syslog code, for routing the output of the '-m' flag: -m interval The syslogd logs a mark timestamp regularly. The default inter- val between two -- MARK -- lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely. So if you coded 'mark.debug /var/log/messages' and '-m 5', every 5 minutes you'd get a --MARK-- line in /var/log/messages. Pretty handy for low-activity systems, so you can tell the difference between "system idle and not generating log activy for 6 1/2 hours" and "system too wedged to syslog anything for 6 1/2 hours".
On Mon, 2007-03-19 at 10:35 -0400, Valdis.Kletnieks@vt.edu wrote:
On Mon, 19 Mar 2007 10:37:06 BST, Balazs Scheidler said:
I don't know what the 'mark' facility is for, in fact I've never seen it referenced.
It's a pseudo-facility in the old syslog code, for routing the output of the '-m' flag:
-m interval The syslogd logs a mark timestamp regularly. The default inter- val between two -- MARK -- lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely.
So if you coded 'mark.debug /var/log/messages' and '-m 5', every 5 minutes you'd get a --MARK-- line in /var/log/messages. Pretty handy for low-activity systems, so you can tell the difference between "system idle and not generating log activy for 6 1/2 hours" and "system too wedged to syslog anything for 6 1/2 hours".
I see, then the mark facility filter should be converted to a match() filter that looks for MARK in the message payload. -- Bazsi
The syslog-ng could not support ---MARK----, right? I used "-----STATS-------" instead of "------MARK-------". Lily -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, March 19, 2007 10:45 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] map "mark.info" in syslog.conf to syslog-ng.conf On Mon, 2007-03-19 at 10:35 -0400, Valdis.Kletnieks@vt.edu wrote:
On Mon, 19 Mar 2007 10:37:06 BST, Balazs Scheidler said:
I don't know what the 'mark' facility is for, in fact I've never seen it referenced.
It's a pseudo-facility in the old syslog code, for routing the output of the '-m' flag:
-m interval The syslogd logs a mark timestamp regularly. The default inter- val between two -- MARK -- lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely.
So if you coded 'mark.debug /var/log/messages' and '-m 5', every 5 minutes you'd get a --MARK-- line in /var/log/messages. Pretty handy for low-activity systems, so you can tell the difference between "system idle and not generating log activy for 6 1/2 hours" and "system too wedged to syslog anything for 6 1/2 hours".
I see, then the mark facility filter should be converted to a match() filter that looks for MARK in the message payload. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Mon, 2007-03-19 at 10:48 -0400, Lily Feng wrote:
The syslog-ng could not support ---MARK----, right? I used "-----STATS-------" instead of "------MARK-------".
syslog-ng can emit mark messages, check the mark_freq() option. -- Bazsi
Hi Bazsi, Thanks, In user Guide, I found the mark_freq() is "not implemented yet". I tried it, no MARK messages are created. Maybe my syslog-ng version is old, it is 1.6.9 Lily -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, March 19, 2007 11:02 AM To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] map "mark.info" in syslog.conf to syslog-ng.conf On Mon, 2007-03-19 at 10:48 -0400, Lily Feng wrote:
The syslog-ng could not support ---MARK----, right? I used "-----STATS-------" instead of "------MARK-------".
syslog-ng can emit mark messages, check the mark_freq() option. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Balazs Scheidler
-
Lily Feng
-
Valdis.Kletnieks@vt.edu