[syslog-ng] MARK messages and filtering

Peter Kokai (pkokai) Peter.Kokai at oneidentity.com
Thu Mar 19 21:03:33 UTC 2020 

Hello,

The MARK messages are not originated from the source, but rather they are a destination specific option. A destination could send those as a kinda heartbeat.
Even without configuring any source those messages should be there.

With the pipeline there the filter could not drop messages originating in the destination. But hey you should be able to disable MARK messages.

--
kokan
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com>
Sent: Thursday, March 19, 2020 9:42:13 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] MARK messages and filtering

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

I have the following part of syslog configuration:

destination d_localfile_kernel {
    file("/var/log/kernel.log"
        flags(syslog-protocol)
    );
};
filter f_localfile_kernel_kern {
    facility(kern) and level(info .. emerg);
};
filter f_localfile_kernel {
    filter(f_localfile_kernel_kern); };
log {
    source(s_src);
    filter(f_localfile_kernel);
    destination(d_localfile_kernel);
    flags(flow-control);
};

And I see in my kernel.log file:

<46>1 2020-03-18T18:35:28+00:00 localhost - - - [meta sequenceId="1"] -- MARK --

<46>1 2020-03-18T18:55:28+00:00 localhost - - - [meta sequenceId="2"] -- MARK --

<46>1 2020-03-18T19:15:28+00:00 localhost - - - [meta sequenceId="3"] -- MARK --

<46>1 2020-03-18T19:35:28+00:00 localhost - - - [meta sequenceId="4"] -- MARK --

<46>1 2020-03-18T19:55:28+00:00 localhost - - - [meta sequenceId="5"] -- MARK --

<46>1 2020-03-18T20:15:28+00:00 localhost - - - [meta sequenceId="6"] -- MARK --

<46>1 2020-03-18T20:35:28+00:00 localhost - - - [meta sequenceId="7"] -- MARK --

<46>1 2020-03-18T20:55:28+00:00 localhost - - - [meta sequenceId="8"] -- MARK --

<46>1 2020-03-18T21:15:28+00:00 localhost - - - [meta sequenceId="9"] -- MARK --


I was not expecting to see syslog facility messages coming out, since I am filtering by kernel facility.


Is this expected behavior?


Thanks & regards,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200319/b91a4d7f/attachment.html>

More information about the syslog-ng mailing list