[syslog-ng] email alert on timeout

Gregg Nicholas gnichola at berriencounty.org
Thu Oct 31 14:30:51 UTC 2019 

Hi Laci,



Thanks for your advice.



I think that the behavior you described for mark-freq is exactly what I'm 
trying to accomplish, but it doesn't seem to work. There must be some detail 
that I'm missing.



In my test, I've set mark-freq to 60 seconds for the destination 
heartbeat.log. When I watch (tail) heartbeat.log, I'm seeing this type of 
results:



                Oct 31 08:44:02 192.168.35.1 ...I am still here...

                Oct 31 08:45:03 syslog -- MARK --

                Oct 31 08:45:19 192.168.35.1 ...I am still here...

                Oct 31 08:46:19 syslog -- MARK –

                Oct 31 08:46:32 192.168.35.1 ...I am still here...

                Oct 31 08:46:40 192.168.35.1 ...I am still here...

                Oct 31 09:43:46 192.168.35.1 ...I am still here...



As you can see, the destination is not busy. Shouldn’t a MARK have happened 
at 08:47:40?



The “internal” mark-mode looked a bit complicated, but I’ll read it again.



Thanks again,

Gregg





-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Laszlo 
Szemere (lszemere)
Sent: Thursday, October 31, 2019 09:30
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] email alert on timeout



Hello Gregg,



I think you are almost on the right track. A little addition to MARK 
messages:

Syslog-ng's destinations will ONLY emit a mark message IF otherwise there 
will be no message at all from that destination, during a "mark-freq" time 
period.

So if there is a message on the Destination, it will reset the "mark-freq" 
timer, and the interval starts again without sending any mark message. So 
during a normal work of a busy log path there should be no mark messages at 
all.



One more thing: I don't know if it is intentional from you, but you can 
spare the whole "mark" file logic from your configuration in certain cases, 
if you use the "internal" mark-mode. Unfortunately I can not give you a 
direct link, but in the "global options" section of the administration 
guide: 
<https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/59#TOPIC-1298095> 
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/59#TOPIC-1298095 
there is a chapter about "mark-mode"s.



Best regards,

Laci





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191031/deb46155/attachment.html>

More information about the syslog-ng mailing list