syslog-ng and "-- MARK --"

yitzle · 2009-07-08 02:35:36

syslog-ng has a feature where it spits out "-- MARK --" every so often (default: 20 min). This lets you know its working.

I wrote two little scripts (feel free to reuse) to help keep an eye on my logs (see bottom). The MARK's are annoying me. So I want to turn them off.

Google gave me the man page of another implementation of syslog that takes a -m switch that lets you specify how often a MARK is generated or 0 to disable that feature. man 8 syslog-ng and syslog --help do not mention a -m switch.
man 5 syslog-ng.conf mentions a mark(n) setting you can apply to /etc/syslog-ng.cong - but check this out:

mark(n)
The number of seconds between two MARK lines. NOTE: not implemented yet.

I decided to set the mark(n) anyhow to 0. Passing a HUP signal to syslog-ng (which man 8 syslog-ng tells me will make it reread the config files) gets this added to the log files:

Your configuration file uses an obsoleted keyword, please update your configuration; keyword='mark', change='mark_freq'

So the binary and man page are out of sync.

OK. So I try setting mark_freq(0)...
syslog-ng emits a MARK every zero seconds. That took me 663,000 MARKs to catch. And 4 minutes.

Now trying mark_freq(10000). Is there hope? Can it be turned off?

Does this go upstream?

EDIT:
$ pacman -Qi syslog-ng
Name : syslog-ng
Version : 3.0.1-6
URL : http://www.balabit.com/network-security/syslog-ng/

The http://www.balabit.com/dl/html/syslog-n … 08s09.html

mark_freq() -> If set to zero (0), no MARK messages are sent.

Hah! Not in my version.

--- SCRIPTS ---
check_logs

time=${1:-60}
find /var/log -maxdepth 1 -type f -mmin -$time -exec bash -c 'file $1 | grep -q 'text' || exit ; echo $1; tail -n 20 $1 ; echo ; echo ' _ {} \;

watch_logs

d=$( date +%s )
while : ; do
        read -t 1800 || read -p "Press enter to see"
        t=$( date +%s )
        e=$(( ( t - d ) / 60 + 1 ))
        { date -d @$d; date -d @$t; check_logs $e ; } | less ; d=$t
done

Last edited by yitzle (2009-07-08 02:52:54)

peart · 2009-07-08 02:47:00

Passing mark_freq a value of 0 works as expected here. What does your conf file look like?

@version: 3.0
#
# /etc/syslog-ng.conf
#

options {
  stats_freq (0);
  mark_freq (0);
... and so on ...

Last edited by peart (2009-07-08 02:47:51)

yitzle · 2009-07-08 03:01:54

@version: 3.0
#
# /etc/syslog-ng.conf
#

options {
  stats_freq (0);
  flush_lines (4096);
  time_reopen (10);
  log_fifo_size (4096);
  long_hostnames(off); 
  use_dns (no);
  use_fqdn (no);
  create_dirs (no);
  keep_hostname (yes);
  dir_perm(0640);
  dir_group("log");
  perm(0640);
  group("log");
  mark_freq(0);
};

Send a HUP and watch the logs grow.

peart · 2009-07-08 05:22:21

Sorry yitzle, using both your conf and mine, the logs don't grow when I send syslog-ng the HUP signal. All I get is

Configuration reload request received, reloading configuration;

I found this old bug report, but it was closed with "works for me", which probably isn't much help to you...

yitzle · 2009-07-08 16:27:47

I don't get it...
I set mark_freq(0) again and did a HUP and its not spamming my logs...
Is it possible to get it in a certain state of 'emit MARK' in which case it'll keep emitting a mark or something? I didn't change anything else.

Thanks, peart!

yitzle · 2009-07-08 18:30:16

$ wc -l *
2561815 everything.log
2561143 messages.log

I got me 2.5 million MARKs...
Try setting mark_freq(0) and waiting until the point in time where it would have emitted a MARK with the old setting, if if it was not set (default) or set to 20*60, check when the last mark was, set mark_freq(0), HUP and watch the logs around 20 min from the last MARK. Let me know if you get lots of MARKs like this...

Arch Linux

#1 2009-07-08 02:35:36

syslog-ng and "-- MARK --"

#2 2009-07-08 02:47:00

Re: syslog-ng and "-- MARK --"

#3 2009-07-08 03:01:54

Re: syslog-ng and "-- MARK --"

#4 2009-07-08 05:22:21

Re: syslog-ng and "-- MARK --"

#5 2009-07-08 16:27:47

Re: syslog-ng and "-- MARK --"

#6 2009-07-08 18:30:16

Re: syslog-ng and "-- MARK --"

Board footer