1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
*******************************
imklog: Kernel Log Input Module
*******************************
=========================== ===========================================================================
**Module Name:** **imklog**
**Author:** `Rainer Gerhards <https://rainer.gerhards.net/>`_ <rgerhards@adiscon.com>
=========================== ===========================================================================
Purpose
=======
Reads messages from the kernel log and submits them to the syslog
engine.
Configuration Parameters
========================
.. note::
Parameter names are case-insensitive.
Module Parameters
-----------------
InternalMsgFacility
^^^^^^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"facility", "(see description)", "no", "``$KLogInternalMsgFacility``"
The facility which messages internally generated by imklog will
have. imklog generates some messages of itself (e.g. on problems,
startup and shutdown) and these do not stem from the kernel.
Historically, under Linux, these too have "kern" facility. Thus, on
Linux platforms the default is "kern" while on others it is
"syslogd". You usually do not need to specify this configuration
directive - it is included primarily for few limited cases where it
is needed for good reason. Bottom line: if you don't have a good idea
why you should use this setting, do not touch it.
PermitNonKernelFacility
^^^^^^^^^^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"binary", "off", "no", "``$KLogPermitNonKernelFacility``"
At least under BSD the kernel log may contain entries with
non-kernel facilities. This setting controls how those are handled.
The default is "off", in which case these messages are ignored.
Switch it to on to submit non-kernel messages to rsyslog processing.
ConsoleLogLevel
^^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"integer", "-1", "no", "``$klogConsoleLogLevel``"
Sets the console log level. If specified, only messages with up to
the specified level are printed to the console. The default is -1,
which means that the current settings are not modified. To get this
behavior, do not specify $klogConsoleLogLevel in the configuration
file. Note that this is a global parameter. Each time it is changed,
the previous definition is re-set. The one activate will be that one
that is active when imklog actually starts processing. In short
words: do not specify this directive more than once!
**Linux only**, ignored on other platforms (but may be specified)
ParseKernelTimestamp
^^^^^^^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"binary", "off", "no", "``$klogParseKernelTimestamp``"
If enabled and the kernel creates a timestamp for its log messages,
this timestamp will be parsed and converted into regular message time
instead to use the receive time of the kernel message (as in 5.8.x
and before). Default is 'off' to prevent parsing the kernel timestamp,
because the clock used by the kernel to create the timestamps is not
supposed to be as accurate as the monotonic clock required to convert
it. Depending on the hardware and kernel, it can result in message
time differences between kernel and system messages which occurred at
same time.
KeepKernelTimestamp
^^^^^^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"binary", "off", "no", "``$klogKeepKernelTimestamp``"
If enabled, this option causes to keep the [timestamp] provided by
the kernel at the begin of in each message rather than to remove it,
when it could be parsed and converted into local time for use as
regular message time. Only used, when $klogParseKernelTimestamp is
on.
LogPath
^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"word", "(see description)", "no", "``$klogpath``"
Defines the path to the log file that is used.
If this parameter is not set a default will be used.
On Linux "/proc/kmsg" and else "/dev/klog".
RatelimitInterval
^^^^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"integer", "0", "no", "none"
.. versionadded:: 8.35.0
The rate-limiting interval in seconds. Value 0 turns off rate limiting.
Set it to a number of seconds (5 recommended) to activate rate-limiting.
RatelimitBurst
^^^^^^^^^^^^^^
.. csv-table::
:header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
:widths: auto
:class: parameter-table
"integer", "10000", "no", "none"
.. versionadded:: 8.35.0
Specifies the rate-limiting burst in number of messages. Set it high to
preserve all bootup messages.
Caveats/Known Bugs
==================
This is obviously platform specific and requires platform drivers.
Currently, imklog functionality is available on Linux and BSD.
This module is **not supported on Solaris** and not needed there. For
Solaris kernel input, use :doc:`imsolaris <imsolaris>`.
Example 1
=========
The following sample pulls messages from the kernel log. All parameters
are left by default, which is usually a good idea. Please note that
loading the plugin is sufficient to activate it. No directive is needed
to start pulling kernel messages.
.. code-block:: none
module(load="imklog")
Example 2
=========
The following sample adds a ratelimiter. The burst and interval are
set high to allow for a large volume of messages on boot.
.. code-block:: none
module(load="imklog" RatelimitBurst="5000" RatelimitInterval="5")
Unsupported |FmtObsoleteName| directives
========================================
.. function:: $DebugPrintKernelSymbols on/off
Linux only, ignored on other platforms (but may be specified).
Defaults to off.
.. function:: $klogLocalIPIF
This directive is no longer supported. Instead, use the global
$localHostIPIF directive instead.
.. function:: $klogUseSyscallInterface on/off
Linux only, ignored on other platforms (but may be specified).
Defaults to off.
.. function:: $klogSymbolsTwice on/off
Linux only, ignored on other platforms (but may be specified).
Defaults to off.
|
