klogd
Hurricane Electric Internet Services
NAME
klogd - kernel log daemon.
SYNOPSIS
klogd [ -c n ] [ -d ] [ -f fname ] [ -n ] [ -o ] [ -s ] [
-k fname ] [ -v ]
DESCRIPTION
klogd is a system daemon which intercepts and logs Linux
kernel messages.
OPTIONS
-c n Sets the default log level of console messages to
n.
-d Enable debugging mode. This will generate LOTS of
output to stderr.
-f file
Log messages to the specified filename rather than
to the syslog facility.
-n Avoid auto-backgrounding. This is needed especially
if the klogd is started and controlled by init(8).
-o Execute in 'one-shot' mode. This causes klogd to
read and log all the messages that are found in the
kernel message buffers. After a single read and
log cycle the daemon exits.
-s Force klogd to use the system call interface to the
kernel message buffers.
-k file
Use the specified file as the source of kernel sym-
bol information.
-v Print version and exit.
OVERVIEW
The functionality of klogd has been typically incorporated
into other versions of syslogd but this seems to be a poor
place for it. In the modern Linux kernel a number of ker-
nel messaging issues such as sourcing, prioritization and
resolution of kernel addresses must be addressed. Incor-
porating kernel logging into a separate process offers a
cleaner separation of services.
In Linux there are two potential sources of kernel log
information: the /proc filesystem and the syscall
(sys_syslog) interface, although ultimately they are one
and the same. Klogd is designed to choose whichever
source of information is the most appropriate. It does
this by first checking for the presence of a mounted /proc
filesystem. If this is found the /proc/kmsg file is used
as the source of kernel log information. If the proc
filesystem is not mounted klogd uses a system call to
obtain kernel messages. The command line switch (-s) can
be used to force klogd to use the system call interface as
its messaging source.
If kernel messages are directed through the syslogd daemon
the klogd daemon, as of version 1.1, has the ability to
properly prioritize kernel messages. Prioritization of the
kernel messages was added to it at approximately version
0.99pl13 of the kernel. The raw kernel messages are of the
form:
<[0-7]>Something said by the kernel.
The priority of the kernel message is encoded as a single
numeric digit enclosed inside the <> pair. The defini-
tions of these values is given in the kernel include file
kernel.h. When a message is received from the kernel the
klogd daemon reads this priority level and assigns the
appropriate priority level to the syslog message. If file
output (-f) is used the prioritization sequence is left
pre-pended to the kernel message.
The klogd daemon also allows the ability to alter the pre-
sentation of kernel messages to the system console. Con-
sequent with the prioritization of kernel messages was the
inclusion of default messaging levels for the kernel. In
a stock kernel the the default console log level is set to
7. Any messages with a priority level numerically lower
than 7 (higher priority) appear on the console.
Messages of priority level 7 are considered to be 'debug'
messages and will thus not appear on the console. Many
administrators, particularly in a multi-user environment,
prefer that all kernel messages be handled by klogd and
either directed to a file or to the syslogd daemon. This
prevents 'nuisance' messages such as line printer out of
paper or disk change detected from cluttering the console.
By default the klogd daemon executes a system call to
inhibit all kernel messages (except for panics) from being
displayed on the console. The -c switch can be used to
alter this behavior. The argument given to the -c switch
specifies the priority level of messages which will be
directed to the console. Note that messages of a priority
value LOWER than the indicated number will be directed to
the console.
For example, to have the kernel display all mes-
sages with a priority level of 3 (KERN_ERR) or more
severe the following command would be executed:
klogd -c 4
The definitions of the numeric values for kernel messages
are given in the file kernel.h which can be found in the
/usr/include/linux directory if the kernel sources are
installed. These values parallel the syslog priority val-
ues which are defined in the file syslog.h found in the
/usr/include/sys sub-directory.
The klogd daemon can also be used in a 'one-shot' mode for
reading the kernel message buffers. One shot mode is
selected by specifying the -o switch on the command line.
Output will be directed to either the syslogd daemon or to
an alternate file specified by the -f switch.
For example, to read all the kernel messages after
a system boot and record them in a file called
krnl.msg the following command would be given.
klogd -o -f ./krnl.msg
KERNEL ADDRESS RESOLUTION
klogd will attempt to resolve kernel numeric addresses to
their symbolic forms if a kernel symbol table is available
at execution time. A symbol table may be specified by
using the -k switch on the command line. If a symbol file
is not explicitly specified the following filenames will
be tried:
/boot/System.map
/System.map
/usr/src/linux/System.map
Version information is supplied in the system maps as of
kernel 1.3.43. This version information is used to direct
an intelligent search of the list of symbol tables. This
feature is useful since it provides support for both pro-
duction and experimental kernels.
For example a production kernel may have its map file
stored in /boot/System.map. If an experimental or test
kernel is compiled with the sources in the 'standard'
location of /usr/src/linux the system map will be found in
/usr/src/linux/System.map. When klogd starts under the
experimental kernel the map in /boot/System.map will be
bypassed in favor of the map in /usr/src/linux/System.map.
Modern kernels as of 1.3.43 properly format important ker-
nel addresses so that they will be recognized and
translated by klogd. Earlier kernels require a source
code patch be applied to the kernel sources. This patch
is supplied with the sysklogd sources.
SIGNAL HANDLING
The klogd will respond to six signals: SIGHUP, SIGINT,
SIGKILL, SIGTERM, SIGTSTP and SIGCONT. The SIGINT,
SIGKILL, SIGTERM and SIGHUP signals will cause the daemon
to close its kernel log sources and terminate gracefully.
The SIGTSTP and SIGCONT singals are used to start and stop
kernel logging. Upon receipt of a SIGTSTP signal the dae-
mon will close its log sources and spin in an idle loop.
Subsequent receipt of a SIGCONT signal will cause the dae-
mon to go through its initialization sequence and re-
choose an input source. Using SIGSTOP and SIGCONT in com-
bination the kernel log input can be re-chosen without
stopping and restarting the daemon. For example if the
/proc file system is to be un-mounted the following com-
mand sequence should be used:
# kill -TSTP pid
# umount /proc
# kill -CONT pid
Notations will be made in the system logs with LOG_INFO
priority documenting the start/stop of logging.
FILES
/proc/kmsg
One Source for kernel messages klogd
/var/run/klogd.pid
The file containing the process id of klogd
/System.map, /usr/src/linux/System.map
Default locations for kernel system maps.
BUGS
Probably numerous. Well formed context diffs appreciated.
AUTHOR
The klogd was originally written by Steve Lord
(lord@cray.com), Greg Wettstein made major improvements.
Dr. Greg Wettstein (greg@wind.rmcc.com)
Enjellic Systems Development
Oncology Research Divsion Computing Facility
Roger Maris Cancer Center
Fargo, ND 58122
Hurricane Electric Internet Services
Copyright (C) 1998
Hurricane Electric.
All Rights Reserved.