[syslog-ng] Question about mark_freq()

Paul Krizak paul.krizak at amd.com
Sat Jan 20 18:58:57 CET 2007 

I am having some trouble understanding what constitutes conditions under 
which MARK messages will appear in log files.  I recently brought up a 
log server on a fairly quiet network (less than one message/hour) and I 
was expecting to see at least one MARK message in my logs every five 
minutes, since I have mark_freq set to 300.

However, the logs just sit there idle, sometimes for hours at a time, 
with no mark messages appearing at all.

Perhaps I'm missing something in the log { } statement?  The 
documentation is fairly sparse about what is required to enable the MARK 
stuff...

I've attached my syslog-ng.conf -- any ideas?

-- 

Paul Krizak                         5900 E. Ben White Blvd. MS 625
Advanced Micro Devices              Austin, TX  78741
Linux/Unix Systems Engineering      Phone: (512) 602-8775
Silicon Design Division             Cell:  (512) 791-0686
-------------- next part --------------
# $Id: syslog-ng.conf,v 1.37 2007/01/19 17:34:51 skaven Exp $

################################################
# OPTIONS
# See http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html for reference
################################################

options {
    #time_reopen();              # The time to wait before a killed/died connection is reestablished
    #time_reap();                # The time to wait before an idle destination file is closed.
    sync(0);                     # The number of lines buffered before written to file: we want immediate output to our destinations
    mark_freq(300);              # The number of seconds between two MARK lines.
    stats_freq(60);              # The number of seconds between two STATS. (number of dropped messages)
    log_fifo_size(10000);        # The number of lines fitting to the output queue: we want to be able to handle a flood
    chain_hostnames(no);         # Enable or disable the chained hostname format.
    keep_hostname(no);           # Enable or disable hostname rewriting.  We rewrite hostnames because our systems send all their names as IPs.
    #check_hostname();           # Enable or disable whether the hostname contains valid characters.
    #bad_hostname();             # A regexp which matches hostnames which should not be taken as such.
    owner("root"); 
    group("root");
    perm(0644);
    create_dirs(yes);
    dir_owner("root");
    dir_group("root");
    dir_perm(0755);
    use_dns(yes) ;               # Enable or disable DNS usage. **syslog-ng blocks on DNS queries**
    dns_cache(yes);              # Enable or disable DNS cache usage. (not implemented)
    dns_cache_size(10000);       # Number of hostnames in the DNS cache: lets try to keep all hosts in the cache (not implemented)
    dns_cache_expire(3600);      # Number of seconds while a successful lookup is cached: 1 hr seems reasonable (not implemented)
    dns_cache_expire_failed(30); # Number of seconds while a failed lookup is cached: 30 seconds seems reasonable (not implemented)
    #log_msg_size();             # Maximum length of message in bytes.
    use_fqdn(no);                # Add Fully Qualified Domain Name instead of short hostname.
};


################################################
# GENERIC SOURCES
# See http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html for reference
# Note that all sources get attached to rule engines.
################################################

# Syslog inputs
source s_external_syslog {
    udp(port(514));
};

# Local syslog
source s_internal_syslog {
    unix-dgram("/dev/log");
    file("/proc/kmsg" log_prefix("kernel:"));
};

# Sylog-ng's internal log
source s_syslog-ng {
    internal();
};

# This template reformats incoming messages for use in human-readable logfiles
# Don't rename this template!
template t_human_readable {
    template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
    template-escape(no);
};

# The big Y/M/D/host-messages tree
destination d_host_messages {
    file(
        "/var/log/logs/$R_YEAR/$R_MONTH/$R_DAY/$HOST-messages.log"
        template(t_human_readable)
        create_dirs(yes)
        owner("root")
        group("root")
        perm(0644)
        dir_perm(0755)
    );
};

# The big monolithic syslog file
destination d_big_messages {
    file (
        "/var/log/logs/messages.log"
        template(t_human_readable)
        owner("root")
        group("root")
        perm(0644)
    );
};

# A named pipe that programs can read from
destination d_syslog_pipe {
    pipe (
        "/var/spool/vtec/syslog_pipe"
        template(t_human_readable)
        owner("root")
        group("root")
        perm(0644)
    );
};

# The "normal" syslog file (for local syslog)
destination d_internal_syslog {
    file (
        "/var/log/messages"
        template(t_human_readable)
        owner("root")
        group("root")
        perm(0644)
    );
};

# A syslog-ng logfile
destination d_syslog-ng-log {
    file(
        "/var/log/syslog-ng.log"
        owner("root")
        group("root")
        perm(0644)
    );
};

# log syslog-ng's log to a special logfile
log {
    source(s_syslog-ng);
    destination(d_syslog-ng-log);
};

# log syslog messages to the host-messages tree and to the big monolithic messages file
log {
    source(s_external_syslog);
    source(s_internal_syslog);
    destination(d_big_messages);
    destination(d_host_messages);
    destination(d_syslog_pipe);
};

# log local syslog stuff to /var/log/messages
log {
    source(s_internal_syslog);
    destination(d_internal_syslog);
};

More information about the syslog-ng mailing list