You are not logged in.
syslog-ng has a feature where it spits out "-- MARK --" every so often (default: 20 min). This lets you know its working.
I wrote two little scripts (feel free to reuse) to help keep an eye on my logs (see bottom). The MARK's are annoying me. So I want to turn them off.
Google gave me the man page of another implementation of syslog that takes a -m switch that lets you specify how often a MARK is generated or 0 to disable that feature. man 8 syslog-ng and syslog --help do not mention a -m switch.
man 5 syslog-ng.conf mentions a mark(n) setting you can apply to /etc/syslog-ng.cong - but check this out:
mark(n)
The number of seconds between two MARK lines. NOTE: not implemented yet.
I decided to set the mark(n) anyhow to 0. Passing a HUP signal to syslog-ng (which man 8 syslog-ng tells me will make it reread the config files) gets this added to the log files:
Your configuration file uses an obsoleted keyword, please update your configuration; keyword='mark', change='mark_freq'
So the binary and man page are out of sync.
OK. So I try setting mark_freq(0)...
syslog-ng emits a MARK every zero seconds. That took me 663,000 MARKs to catch. And 4 minutes.
Now trying mark_freq(10000). Is there hope? Can it be turned off?
Does this go upstream?
EDIT:
$ pacman -Qi syslog-ng
Name : syslog-ng
Version : 3.0.1-6
URL : http://www.balabit.com/network-security/syslog-ng/
The http://www.balabit.com/dl/html/syslog-n … 08s09.html
mark_freq() -> If set to zero (0), no MARK messages are sent.
Hah! Not in my version.
--- SCRIPTS ---
check_logs
time=${1:-60}
find /var/log -maxdepth 1 -type f -mmin -$time -exec bash -c 'file $1 | grep -q 'text' || exit ; echo $1; tail -n 20 $1 ; echo ; echo ' _ {} \;
watch_logs
d=$( date +%s )
while : ; do
read -t 1800 || read -p "Press enter to see"
t=$( date +%s )
e=$(( ( t - d ) / 60 + 1 ))
{ date -d @$d; date -d @$t; check_logs $e ; } | less ; d=$t
done
Last edited by yitzle (2009-07-08 02:52:54)
Offline
Passing mark_freq a value of 0 works as expected here. What does your conf file look like?
@version: 3.0
#
# /etc/syslog-ng.conf
#
options {
stats_freq (0);
mark_freq (0);
... and so on ...
Last edited by peart (2009-07-08 02:47:51)
Offline
@version: 3.0
#
# /etc/syslog-ng.conf
#
options {
stats_freq (0);
flush_lines (4096);
time_reopen (10);
log_fifo_size (4096);
long_hostnames(off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
dir_perm(0640);
dir_group("log");
perm(0640);
group("log");
mark_freq(0);
};
Send a HUP and watch the logs grow.
Offline
Sorry yitzle, using both your conf and mine, the logs don't grow when I send syslog-ng the HUP signal. All I get is
Configuration reload request received, reloading configuration;
I found this old bug report, but it was closed with "works for me", which probably isn't much help to you...
Offline
I don't get it...
I set mark_freq(0) again and did a HUP and its not spamming my logs...
Is it possible to get it in a certain state of 'emit MARK' in which case it'll keep emitting a mark or something? I didn't change anything else.
Thanks, peart!
Offline
$ wc -l *
2561815 everything.log
2561143 messages.log
I got me 2.5 million MARKs...
Try setting mark_freq(0) and waiting until the point in time where it would have emitted a MARK with the old setting, if if it was not set (default) or set to 20*60, check when the last mark was, set mark_freq(0), HUP and watch the logs around 20 min from the last MARK. Let me know if you get lots of MARKs like this...
Offline