Re: Complex logging in the kernel

Re: Complex logging in the kernel

[Bodo Eggert]

John Richard Moser <nigelenki@comcast.net> wrote:

> What systems exist for complex logging and security auditing in the kernel?
> 
> For example, let's say I wanted to register my specific code (i.e. a
> security module) to log, and adjust to log level N.  I also want another
> module to log at log level L, which is lower than N.  I want to print
> logs at log level N..+2 and below to the console, but silently log all
> log messages >N+2 to the syslog.

The priority level can be adjusted using the printk sysctl.

See Documentation/sysctl/kernel.txt for details.

Re: Complex logging in the kernel

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 1722 bytes --]

On Tue, 25 Jan 2005 01:26:14 EST, John Richard Moser said:

> For example, let's say I wanted to register my specific code (i.e. a
> security module) to log, and adjust to log level N.  I also want another
> module to log at log level L, which is lower than N.  I want to print
> logs at log level N..+2 and below to the console, but silently log all
> log messages >N+2 to the syslog.
> 
> Anything?

from include/linux/kern.h:

#define KERN_EMERG      "<0>"   /* system is unusable                   */
#define KERN_ALERT      "<1>"   /* action must be taken immediately     */
#define KERN_CRIT       "<2>"   /* critical conditions                  */
#define KERN_ERR        "<3>"   /* error conditions                     */
#define KERN_WARNING    "<4>"   /* warning conditions                   */
#define KERN_NOTICE     "<5>"   /* normal but significant condition     */
#define KERN_INFO       "<6>"   /* informational                        */
#define KERN_DEBUG      "<7>"   /* debug-level messages                 */

Do all your printk in one module at KERN_NOTICE, and the other at KERN_INFO,
and then use klogd and syslogd to route them as you want.

Or use something like syslog-ng to route based on a regexp match, and then
just make sure your printk's include the module name, log everything at one
level, and route matches for 'modulea:' to one place and 'moduleb:' to
another.

Alternatively, use the 'audit' subsystem - but there you'll probably have to
modify the userspace auditd to recognize messages from the various modules and
route them appropriately.

If you're looking for a learning experience rather than getting code
completed, you can probably find a way to use netlink to do it too....

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Complex logging in the kernel

[John Richard Moser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What systems exist for complex logging and security auditing in the kernel?

For example, let's say I wanted to register my specific code (i.e. a
security module) to log, and adjust to log level N.  I also want another
module to log at log level L, which is lower than N.  I want to print
logs at log level N..+2 and below to the console, but silently log all
log messages >N+2 to the syslog.

Anything?

If there's nothing, I'll write one.  Shouldn't be too hard.
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB9eaGhDd4aOud5P8RAlacAKCBztJpKckHnYHrfyiUxiHOdIBqXACgjuoA
Wk8hEbKRKWSWGsLZ1WGqKto=
=zYCD
-----END PGP SIGNATURE-----