NXLog Documentation

You are viewing the documentation of our legacy products. Go to the NXLog Platform Documentation.

Kernel (im_kernel)

This module collects kernel log messages from the kernel log buffer. It works on Linux, BSD, and macOS.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.
For NXLog to read logs from the kernel buffer, it may be necessary to disable the system logger (systemd, klogd, or logd) or configure it to not read events from the kernel.

Special privileges are required for reading kernel logs. For this, NXLog needs to be started as root. With the User and Group global directives, NXLog can then drop its root privileges while keeping the CAP_SYS_ADMIN capability for reading the kernel log buffer.

Unfortunately it is not possible to read from the /proc/kmsg pseudo file for an unprivileged process even if the CAP_SYS_ADMIN capability is kept. For this reason, the /proc/kmsg interface is not supported by the im_kernel module. The im_file module should work fine with the /proc/kmsg pseudo file if one wishes to collect kernel logs this way, though this will require NXLog to be running as root.
Log Sample
<6>Some message from the kernel.

Kernel messages are valid BSD syslog messages, with a priority from 0 (emerg) to 7 (debug), but do not contain timestamp and hostname fields.

In addition, im_kernel also reads non-kernel events. The priority of these events is a bitwise combination of the facility and severity fields. The priority for non-kernel events can have a value of up to 191 or above. To extract the facility and severity from the priority, please use one of the xm_syslog functions syslog_facility_string(), syslog_facility_value(), syslog_severity_string(), or syslog_severity_value().

Event records produced by im_kernel can be parsed with the xm_syslog parse_syslog_bsd() procedure, and the timestamp and hostname fields will be added by NXLog.

Configuration

The im_kernel module accepts the following directives in addition to the common module directives.

Optional directives

DeviceFile

This directive sets the device file from which to read events, for non-Linux platforms. If this directive is not specified, the default is /dev/klog.

PollInterval

This directive specifies how frequently the module will check for new events, in seconds, on Linux. If this directive is not specified, the default is 1 second. Fractional seconds may be specified (PollInterval 0.5 will check twice every second).

Examples

Example 1. Reading messages from the kernel

This configuration collects log messages from the kernel and writes them to file. This should work on Linux, the BSDs, and macOS (but the system logger may need to be disabled or reconfigured).

nxlog.conf
# Drop privileges after being started as root
User nxlog
Group nxlog

<Input kernel>
    Module  im_kernel
</Input>

<Output file>
    Module  om_file
    File    "tmp/output"
</Output>