[syslog-ng] Strange behavior with the option "mark"

Balazs Scheidler bazsi at balabit.hu
Tue Aug 3 14:50:41 CEST 2010


On Tue, 2010-08-03 at 10:58 +0200, Ilas, Yann wrote:
> Hello everybody,
> 
> I'm currently using the application syslog-ng version 3.1.1 and there is
> an odd behavior with the "mark" option.
> 
> Here is the configuration file used for the test :
> 
>   @version: 3.0
> 
>   options {
>       mark(7);
>   };
> 
>   source s_local  { internal(); unix-stream( "/dev/log" ); };
> 
>   destination d_f_msg_unknown {
>       file ( /var/log/messages__unknown );
>   };
> 
>   log {
>       source (s_local);
>       destination (d_f_msg_unknown);
>   };
> 
> ...and I start the syslog-ng application like this :
>   # cd /opt/syslog-ng/sbin/
>   # ./syslog-ng -Fevd --foreground --no-caps
> --cfgfile=/opt/syslog-ng/etc/syslog-ng.conf.MARK
> --pidfile=/tmp/syslog-ng.conf.pid
> 
> The output of the log file :
>   Aug  2 17:44:22 serveur01 -- MARK --
>   Aug  2 17:44:29 serveur01 -- MARK --
>   Aug  2 17:44:36 serveur01 -- MARK --
> (...)
> 
> Then, I change the configuration file from "mark(7)" to "mark(0)" and
> send a HUP signal between "17:44:36" and "17:44:43"
>   # kill -HUP $(cat /tmp/syslog-ng.conf.pid)
> 
> Here is the output (tail -f /var/log/messages__unknown) :
>   Aug  2 17:44:36 serveur01 -- MARK --
> <HUP signal>
>   Aug  2 17:44:43 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
> (...)
> ...then the server syslog-ng sends a lot of "MARK" messages. I have to
> stop the process with a "kill" or "ctrl+c".
> 
> I have the same behaviour if I use "mark_freq" instead of "mark".
> What's wrong with that option ? Did I miss something ?

well, we should recognize mark(0) the same as mark(-1) effectively
disabling the mark feature.

right now, mark(0) means that there's zero time between two mark
messages, effectively generating one mark message per poll iteration,
this is what you see.

Or, does this happen only if you do a SIGHUP? Or the same happens when
you start syslog-ng?

-- 
Bazsi



More information about the syslog-ng mailing list