In Linux there are two potential sources of kernel log information: the /proc filesystem and the syscall (sys_syslog) interface, although ultimately they are one and the same. Klogd is designed to choose whichever source of information is the most appropriate. It does this by first checking for the presence of a mounted /proc filesystem. If this is found the /proc/kmsg file is used as the source of kernel log information. If the proc filesystem is not mounted klogd uses a system call to obtain kernel messages. The command line switch (-s) can be used to force klogd to use the system call interface as its messaging source.
If kernel messages are directed through the syslogd daemon the klogd daemon, as of version 1.1, has the ability to properly prioritize kernel messages. Prioritization of the kernel messages was added to it at approximately version 0.99pl13 of the kernel. The raw kernel messages are of the form:
The priority of the kernel message is encoded as a single numeric digit enclosed inside the <> pair. The definitions of these values is given in the kernel include file kernel.h. When a message is received from the kernel the klogd daemon reads this priority level and assigns the appropriate priority level to the syslog message. If file output (-f) is used the prioritization sequence is left pre-pended to the kernel message.
The klogd daemon also allows the ability to alter the presentation of kernel messages to the system console. Consequent with the prioritization of kernel messages was the inclusion of default messaging levels for the kernel. In a stock kernel the the default console log level is set to 7. Any messages with a priority level numerically lower than 7 (higher priority) appear on the console.
Messages of priority level 7 are considered to be 'debug' messages and will thus not appear on the console. Many administrators, particularly in a multi-user environment, prefer that all kernel messages be handled by klogd and either directed to a file or to the syslogd daemon. This prevents 'nuisance' messages such as line printer out of paper or disk change detected from cluttering the console.
By default the klogd daemon executes a system call to inhibit all kernel messages (except for panics) from being displayed on the console. The -c switch can be used to alter this behavior. The argument given to the -c switch specifies the priority level of messages which will be directed to the console. Note that messages of a priority value LOWER than the indicated number will be directed to the console.
The definitions of the numeric values for kernel messages are given in the file kernel.h which can be found in the /usr/include/linux directory if the kernel sources are installed. These values parallel the syslog priority values which are defined in the file syslog.h found in the /usr/include/sys sub-directory.
The klogd daemon can also be used in a 'one-shot' mode for reading the kernel message buffers. One shot mode is selected by specifying the -o switch on the command line. Output will be directed to either the syslogd daemon or to an alternate file specified by the -f switch.
/boot/System.map /System.map /usr/src/linux/System.map
Version information is supplied in the system maps as of kernel 1.3.43. This version information is used to direct an intelligent search of the list of symbol tables. This feature is useful since it provides support for both production and experimental kernels.
For example a production kernel may have its map file stored in /boot/System.map. If an experimental or test kernel is compiled with the sources in the 'standard' location of /usr/src/linux the system map will be found in /usr/src/linux/System.map. When klogd starts under the experimental kernel the map in /boot/System.map will be bypassed in favor of the map in /usr/src/linux/System.map.
Modern kernels as of 1.3.43 properly format important kernel addresses so that they will be recognized and translated by klogd. Earlier kernels require a source code patch be applied to the kernel sources. This patch is supplied with the sysklogd sources.
The SIGTSTP and SIGCONT singals are used to start and stop kernel logging. Upon receipt of a SIGTSTP signal the daemon will close its log sources and spin in an idle loop. Subsequent receipt of a SIGCONT signal will cause the daemon to go through its initialization sequence and re-choose an input source. Using SIGSTOP and SIGCONT in combination the kernel log input can be re-chosen without stopping and restarting the daemon. For example if the /proc file system is to be un-mounted the following command sequence should be used:
Notations will be made in the system logs with LOG_INFO priority documenting the start/stop of logging.