Klogd message forwarding kernel address resolution console Log Level Signal Processing

Klogd

Klogd is a daemon that intercepts and records Linux kernel messages. Its command line syntax is as follows:

Klogd [-F file] [-II] [-N] [-O] [-p] [-S] [-K file] [-V] [-x] [-2]

Command line parameter description:

-F File

Logs are directly recorded in the specified file instead of forwarded to the syslogd process.

-I
-I

The running klogd daemon is required to reload the kernel symbol table.
-I is used to re-load the kernel module symbol by the daemon.
-I is used to re-load the static kernel symbol and kernel module symbol of the daemon.

-N

Automatic background running is prohibited. This switch must be used when klogd is started by init and directly controlled by init.

-O

Klogd immediately exits after reading and recording all messages in the kernel message buffer (not as a daemon ).

-P

As long as klogd detects that the kernel message stream contains an oops string, it reloads the kernel symbol table.

-S

Kernel messages can be obtained through two channels: the/proc file system and the sys_syslog system call interface. Although the two are essentially equivalent, klogd will first use the/proc/kmsg file. This switch forces klogd to use a system call to obtain kernel messages.

-K file

Use the specified file as the kernel symbol table file, that is, the location of the system. Map File.

-V

Print the version information and exit.

-X

Ignore the EIP conversion information, so you do not need to read the system. Map File.

-2

When the symbol is expanded, two lines are printed. One line converts the address to the symbol and the other line is the original text. This allows some external programs (such as ksymoops) to process raw data.

Message forwarding

If klogd forwards kernel messages to the syslogd process, it can sort specific messages. The format of the original kernel message is as follows:

<[0-7]> something said by the kernel.

The numbers in angle brackets indicate the priority of kernel messages, which are defined in the kernel. h file. When klogd receives the kernel message, it reads the number and assigns an appropriate priority when forwarding the message to syslogd.

If you use-F to directly record the kernel message to a specific file, the message will remain unchanged.

Kernel Address Resolution

Klogd will try to resolve the kernel address to the corresponding symbol. If you want the original address information, you can use the "-2" switch. If the "-k" option is not used, the following paths will be tried in sequence:

/Boot/system. Map
/System. Map
/Usr/src/Linux/system. Map

The address is not fixed because the kernel module is dynamically loaded, so "-I"/"-I" must be used to notify the klogd kernel module of changes. Both of these switches will cause the currently running klogd daemon to reload the kernel symbol table. The following command should be run immediately after each kernel module is loaded or uninstalled:

Klogd-I

The-P switch can also be used to update the kernel symbol table. It causes klogd to reload the kernel symbol table when detecting a protective error. Be careful when using this switch, because the operating system becomes unstable when a protective error (protection fault) occurs, and klogd must execute a system call to re-load the kernel symbol table, so doing so may lead to worse results.

Console Log Level

The default Log Level of the kernel console is "7" (Debug). messages with a level number smaller than or equal to 6 (with a higher priority) are displayed on the console. These different levels indicate that they are located in the kernel. h file, and syslog. h In this package also has a copy. You can use sysctl to specify the Log Level of the console, which is usually set in the/etc/sysctl. conf file, for example, the following line:

Kernel. printk = 4 4 1 7

Set the Log Level of the kernel console to "4 ".

Signal Processing

Klogd can respond to eight types of signals: sighup, SIGINT, sigkill, sigterm, sigtstp, SIGUSR1, sigusr2, and sigcont. The SIGINT, sigkill, sigterm, and sighup signals allow the process to exit gracefully and properly. The sigtstp signal causes the process to stop logging and enter the sleep state. The sigcont signal allows the process in the sleep state to record logs again. Using sigstop and sigcont together, you can switch the sources of log messages without exiting the process. For example, you can run the following command to uninstall the/proc file system:

# Kill-tstp PID
# Umount/proc
# Kill-cont PID

SIGUSR1 and sigusr2 are used to load/reload the kernel symbol table. SIGUSR1 indicates the information of the re-loaded kernel module. sigusr2 indicates the information of the re-loaded module and the static kernel at the same time. If the location of the system. Map File is correct, the SIGUSR1 signal will be very useful. Especially when the kernel module changes.

Related Files

/Proc/kmsg

By default, klogd is preferred to obtain the kernel message source.

/Var/run/klogd. PID

File for saving the PID of klogd

/Boot/system. Map,/system. Map,/usr/src/Linux/system. Map

Default location of the searched kernel symbol table