Return to
Portfolio

109.16. Kernel (im_kernel)

This module collects kernel log messages from the kernel log buffer. This module works on Linux, the BSDs, and macOS.

Warning
 In order for NXLog to read logs from the kernel buffer, it may be necessary to disable the system logger (systemd, klogd, or logd) or configure it to not read events from the kernel.

Special privileges are required for reading kernel logs. For this, NXLog needs to be started as root. With the User and Group global directives, NXLog can then drop its root privileges while keeping the CAP_SYS_ADMIN capability for reading the kernel log buffer.

Note
 Unfortunately it is not possible to read from the /proc/kmsg pseudo file for an unprivileged process even if the CAP_SYS_ADMIN capability is kept. For this reason the /proc/kmsg interface is not supported by the im_kernel module. The im_file module should work fine with the /proc/kmsg pseudo file if one wishes to collect kernel logs this way, though this will require NXLog to be running as root.
Log Sample
<6>Some message from the kernel.

Kernel messages are valid BSD Syslog messages, with a priority from 0 (emerg) to 7 (debug), but do not contain timestamp and hostname fields. These can be parsed with the xm_syslog parse_syslog_bsd() procedure, and the timestamp and hostname fields will be added by NXLog.

109.16.1. Configuration

The im_kernel module accepts the following directives in addition to the common module directives.

DeviceFile

This directive sets the device file from which to read events, for non-Linux platforms. If this directive is not specified, the default is /dev/klog.

PollInterval

This directive specifies how frequently the module will check for new events, in seconds, on Linux. If this directive is not specified, the default is 1 second. Fractional seconds may be specified (PollInterval 0.5 will check twice every second).

109.16.2. Examples

Example 554. Reading Messages From the Kernel

This configuration collects log messages from the kernel and writes them to file. This should work on Linux, the BSDs, and macOS (but the system logger may need to be disabled or reconfigured).

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12


  
# Drop privileges after being started as root
User nxlog
Group nxlog

<Input kernel>
    Module  im_kernel
</Input>

<Output file>
    Module  om_file
    File    "tmp/output"
</Output>

← Previous: Kafka (im_kafka) | ↑ Up: Input Modules | ⌂ Home: NXLog User Guide | Next: im_linuxaudit →