[syslog-ng] Strange behavior with the option "mark"

Tue Aug 3 16:01:39 CEST 2010

Thank you for your answer.

When I start the syslog-ng with the option "mark" sets to 0, no MARKS
messages are sent (as written in the OSE 3.1 Administrator Guide).
This problem appears only when the option "mark" is set from a value <>
0 to a value = 0 and when I reload the configuration with a HUP signal.

Regards,

Yann I.

On Tue, 2010-08-03 at 10:58 +0200, Ilas, Yann wrote:
> Hello everybody,
> 
> I'm currently using the application syslog-ng version 3.1.1 and there
is
> an odd behavior with the "mark" option.
> 
> Here is the configuration file used for the test :
> 
>   @version: 3.0
> 
>   options {
>       mark(7);
>   };
> 
>   source s_local  { internal(); unix-stream( "/dev/log" ); };
> 
>   destination d_f_msg_unknown {
>       file ( /var/log/messages__unknown );
>   };
> 
>   log {
>       source (s_local);
>       destination (d_f_msg_unknown);
>   };
> 
> ...and I start the syslog-ng application like this :
>   # cd /opt/syslog-ng/sbin/
>   # ./syslog-ng -Fevd --foreground --no-caps
> --cfgfile=/opt/syslog-ng/etc/syslog-ng.conf.MARK
> --pidfile=/tmp/syslog-ng.conf.pid
> 
> The output of the log file :
>   Aug  2 17:44:22 serveur01 -- MARK --
>   Aug  2 17:44:29 serveur01 -- MARK --
>   Aug  2 17:44:36 serveur01 -- MARK --
> (...)
> 
> Then, I change the configuration file from "mark(7)" to "mark(0)" and
> send a HUP signal between "17:44:36" and "17:44:43"
>   # kill -HUP $(cat /tmp/syslog-ng.conf.pid)
> 
> Here is the output (tail -f /var/log/messages__unknown) :
>   Aug  2 17:44:36 serveur01 -- MARK --
> <HUP signal>
>   Aug  2 17:44:43 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
>   Aug  2 17:44:50 serveur01 -- MARK --
> (...)
> ...then the server syslog-ng sends a lot of "MARK" messages. I have to
> stop the process with a "kill" or "ctrl+c".
> 
> I have the same behaviour if I use "mark_freq" instead of "mark".
> What's wrong with that option ? Did I miss something ?

well, we should recognize mark(0) the same as mark(-1) effectively
disabling the mark feature.

right now, mark(0) means that there's zero time between two mark
messages, effectively generating one mark message per poll iteration,
this is what you see.

Or, does this happen only if you do a SIGHUP? Or the same happens when
you start syslog-ng?

-- 
Bazsi