Kmsg - Scanner

Reads the kernel log ring buffer from /dev/kmsg and publishes depending on pattern matching ([WIP] currently each line) as a “KMSG” event. The scanner tries to open the configured file for reading, if it is not found at the specified location it will try to create a FIFO node using mkfifo(). Multiline kernel messages are not handled right now.

Published events

• KMSG –> each line read from /dev/kmsg is published as it is in the event payload field. But also parsed to set severity, classification and date of the published event. All events generated by the kmsg scanner have the message code 1111 “kernel log message”. If the message could not be parsed for some reason severity and classification will stay empty and the message code is set to 3422 “message not understood”.

  • format is:

  {
      "date": [1684239716, 1668901000],
      "source": {
          "fileName": "\/dev\/kmsg"
      },
      "severity": 3,
      "classification": 1,
      "messageCode": 1111,
      "payload": "3,215,264071662,-;squashfs: Unknown parameter 'tmpfs'"
  }
  

Configuration

Compile time:

• ELOSD_KMSG_FILE –> the path where to open expect a character device or FIFO file node, default is /dev/kmsg

Environment:

• ELOS_KMSG_FILE –> the path where to open expect a character device or FIFO file node, default is ELOSD_SYSLOG_PATH

Json

Under root/elos/Scanner/Plugins add:

"<KmsgScanner Inastance name>": {
   "File": "scanner_kmsg.so",
   "Run": "always",
   "Config": {
      "KmsgFile": "/dev/kmsg"
   }
}

Configuration structure

KmsgScanner
├── File
├── Run
└── Config
    └── KmsgFile