Why is Syslog message "-- MARK --" is periodically sent from Firewall to the external syslog server?

Why is Syslog message "-- MARK --" is periodically sent from Firewall to the external syslog server?

3081
Created On 03/29/23 02:21 AM - Last Modified 06/10/24 21:18 PM


Question


In the syslog server, a suspicious message "-- MARK --" is recorded as the message from Firewalls every 20 minutes. Why is this message sent? 
Mar 19 00:11:22 PA-VM -- MARK --
Mar 19 00:31:22 PA-VM -- MARK --
Mar 19 00:51:22 PA-VM -- MARK --


Environment


  • Any Firewall models
  • Supported PAN-OS releases
  • TCP is used for the syslog forwarding from Firewall to the external servers.

Answer


  1. Syslog message "-- MARK --" is sent every 20 minutes as keep-alive of TCP session between the external syslog server and Firewall.
  2. This is done  when there are no syslog messages to forward.

Additional Information


If the syslog messages are delayed, Refer Log Forwarding to Syslog Delayed Troubleshooting.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sbAVCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail