Kernel (im_kernel)
This module collects kernel log messages from the kernel log buffer. It works on Linux, BSD, and macOS.
For NXLog Agent to read logs from the kernel buffer, it may be necessary to disable the system logger (systemd, klogd, or logd) or configure it to not read events from the kernel. |
Special privileges are required for reading kernel logs. For this, NXLog Agent needs to be started as root. With the User and Group global directives, NXLog Agent can then drop its root privileges while keeping the CAP_SYS_ADMIN capability for reading the kernel log buffer.
Unfortunately it is not possible to read from the /proc/kmsg pseudo file for an unprivileged process even if the CAP_SYS_ADMIN capability is kept.
For this reason, the /proc/kmsg interface is not supported by the im_kernel module.
The im_file module should work fine with the /proc/kmsg pseudo file if one wishes to collect kernel logs this way, though this will require NXLog Agent to be running as root.
|
<6>Some message from the kernel.
Kernel messages are valid BSD syslog messages, with a priority from 0 (emerg) to 7 (debug), but do not contain timestamp and hostname fields.
In addition, im_kernel also reads non-kernel events. The priority of these events is a bitwise combination of the facility and severity fields. The priority for non-kernel events can have a value of up to 191 or above. To extract the facility and severity from the priority, please use one of the xm_syslog functions syslog_facility_string(), syslog_facility_value(), syslog_severity_string(), or syslog_severity_value().
Event records produced by im_kernel can be parsed with the xm_syslog parse_syslog_bsd() procedure, and the timestamp and hostname fields will be added by NXLog Agent.
Configuration
The im_kernel module accepts the following directives in addition to the common module directives.
Optional directives
This directive sets the device file from which to read events, for non-Linux platforms.
If this directive is not specified, the default is |
|
This directive specifies how frequently the module will check for new events, in seconds, on Linux.
If this directive is not specified, the default is 1 second. Fractional seconds may be specified ( |
Examples
This configuration collects log messages from the kernel and writes them to file. This should work on Linux, the BSDs, and macOS (but the system logger may need to be disabled or reconfigured).
# Drop privileges after being started as root
User nxlog
Group nxlog
<Input kernel>
Module im_kernel
</Input>
<Output file>
Module om_file
File "tmp/output"
</Output>