klogd.8

制作2.6内核的CLFS时 sysklogd-1.5.tar.gz包

.\" Copyright 1994-6 Dr. Greg Wettstein, Enjellic Systems Development.
.\" Copyright 1997-2007 Martin Schulze <joey@infodrom.org>
.\" May be distributed under the GNU General Public License
.\"
.TH KLOGD 8 "27 May 2007" "Version 1.5" "Linux System Administration"
.SH NAME
klogd \- Kernel Log Daemon
.SH SYNOPSIS
.B klogd
.RB [ " \-c "
.I n
]
.RB [ " \-d " ]
.RB [ " \-f "
.I fname
]
.RB [ " \-iI " ]
.RB [ " \-n " ]
.RB [ " \-o " ]
.RB [ " \-p " ]
.RB [ " \-s " ]
.RB [ " \-k "
.I fname
]
.RB [ " \-v " ]
.RB [ " \-x " ]
.RB [ " \-2 " ]
.SH DESCRIPTION
.B klogd
is a system daemon which intercepts and logs Linux kernel
messages.
.SH OPTIONS
.TP
.BI "\-c " n
Sets the default log level of console messages to \fIn\fR.
.TP
.B "\-d"
Enable debugging mode.  This will generate \fBLOTS\fR of output to
stderr.
.TP
.BI "\-f " file
Log messages to the specified filename rather than to the syslog facility.
.TP
.BI "\-i \-I"
Signal the currently executing klogd daemon.  Both of these switches control
the loading/reloading of symbol information.  The \-i switch signals the
daemon to reload the kernel module symbols.  The \-I switch signals for a
reload of both the static kernel symbols and the kernel module symbols.
.TP
.B "\-n"
Avoid auto-backgrounding.  This is needed especially if the
.B klogd
is started and controlled by 
.BR init (8).
.TP
.B "\-o"
Execute in 'one\-shot' mode.  This causes \fBklogd\fP to read and log
all the messages that are found in the kernel message buffers.  After
a single read and log cycle the daemon exits.
.TP
.B "\-p"
Enable paranoia.  This option controls when klogd loads kernel module symbol
information.  Setting this switch causes klogd to load the kernel module
symbol information whenever an Oops string is detected in the kernel message
stream.
.TP
.B "\-s"
Force \fBklogd\fP to use the system call interface to the kernel message
buffers.
.TP
.BI "\-k " file
Use the specified file as the source of kernel symbol information.
.TP
.B "\-v"
Print version and exit.
.TP
.B "\-x"
Omits EIP translation and therefore doesn't read the System.map file.
.TP
.B "\-2"
When symbols are expanded, print the line twice.  Once with addresses
converted to symbols, once with the raw text.  This allows external
programs such as ksymoops do their own processing on the original
data.
.SH OVERVIEW
The functionality of klogd has been typically incorporated into other
versions of syslogd but this seems to be a poor place for it.  In the
modern Linux kernel a number of kernel messaging issues such as
sourcing, prioritization and resolution of kernel addresses must be
addressed.  Incorporating kernel logging into a separate process
offers a cleaner separation of services.

In Linux there are two potential sources of kernel log information: the 
.I /proc
file system and the syscall (sys_syslog) interface, although
ultimately they are one and the same.  Klogd is designed to choose
whichever source of information is the most appropriate.  It does this
by first checking for the presence of a mounted 
.I /proc
file system.  If this is found the 
.I /proc/kmsg
file is used as the source of kernel log
information.  If the proc file system is not mounted 
.B klogd
uses a
system call to obtain kernel messages.  The command line switch
.RB ( "\-s" )
can be used to force klogd to use the system call interface as its
messaging source.

If kernel messages are directed through the 
.BR syslogd " daemon the " klogd
daemon, as of version 1.1, has the ability to properly prioritize
kernel messages.  Prioritization of the kernel messages was added to it
at approximately version 0.99pl13 of the kernel.  The raw kernel messages
are of the form:
.IP
\<[0\-7]\>Something said by the kernel.
.PP
The priority of the kernel message is encoded as a single numeric
digit enclosed inside the <> pair.  The definitions of these values is
given in the kernel include file kernel.h.  When a message is received
from the kernel the klogd daemon reads this priority level and assigns
the appropriate priority level to the syslog message.  If file output
(\fB-f\fR) is used the prioritization sequence is left pre\-pended to the
kernel message.

The klogd daemon can also be used in a 'one\-shot' mode for reading the
kernel message buffers.  One shot mode is selected by specifying the
\fB\-o\fR switch on the command line.  Output will be directed to either the
syslogd daemon or to an alternate file specified by the \fB-f\fR switch.
.IP
For example, to read all the kernel messages after a system
boot and record them in a file called krnl.msg the following
command would be given.
.IP
.nf
	klogd -o -f ./krnl.msg
.fi
.SH KERNEL ADDRESS RESOLUTION
If the kernel detects an internal error condition a general protection
fault will be triggered.  As part of the GPF handling procedure the
kernel prints out a status report indicating the state of the
processor at the time of the fault.  Included in this display are the
contents of the microprocessor's registers, the contents of the kernel
stack and a tracing of what functions were being executed at the time
of the fault.

This information is
.B EXTREMELY IMPORTANT
in determining what caused the internal error condition.  The
difficulty comes when a kernel developer attempts to analyze this
information.  The raw numeric information present in the protection
fault printout is of very little use to the developers.  This is due
to the fact that kernels are not identical and the addresses of
variable locations or functions will not be the same in all kernels.
In order to correctly diagnose the cause of failure a kernel developer
needs to know what specific kernel functions or variable locations
were involved in the error.

As part of the kernel compilation process a listing is created which
specified the address locations of important variables and function in
the kernel being compiled.  This listing is saved in a file called
System.map in the top of the kernel directory source tree.  Using this
listing a kernel developer can determine exactly what the kernel was
doing when the error condition occurred.

The process of resolving the numeric addresses from the protection
fault printout can be done manually or by using the
.B ksymoops
program which is included in the kernel sources.

As a convenience
.B klogd
will attempt to resolve kernel numeric addresses to their symbolic
forms if a kernel symbol table is available at execution time.  If you
require the original address of the symbol, use the
.B -2
switch to preserve the numeric address.  A
symbol table may be specified by using the \fB\-k\fR switch on the
command line.  If a symbol file is not explicitly specified the
following filenames will be tried:

.nf
.I /boot/System.map
.I /System.map
.I /usr/src/linux/System.map
.fi

Version information is supplied in the system maps as of kernel
1.3.43.  This version information is used to direct an intelligent
search of the list of symbol tables.  This feature is useful since it
provides support for both production and experimental kernels.

For example a production kernel may have its map file stored in
/boot/System.map.  If an experimental or test kernel is compiled with
the sources in the 'standard' location of /usr/src/linux the system
map will be found in /usr/src/linux/System.map.  When klogd starts
under the experimental kernel the map in /boot/System.map will be
bypassed in favor of the map in /usr/src/linux/System.map.

Modern kernels as of 1.3.43 properly format important kernel addresses
so that they will be recognized and translated by klogd.  Earlier
kernels require a source code patch be applied to the kernel sources.
This patch is supplied with the sysklogd sources.

The process of analyzing kernel protections faults works very well
with a static kernel.  Additional difficulties are encountered when
attempting to diagnose errors which occur in loadable kernel modules.
Loadable kernel modules are used to implement kernel functionality in
a form which can be loaded or unloaded at will.  The use of loadable
modules is useful from a debugging standpoint and can also be useful
in decreasing the amount of memory required by a kernel.