Dmesg

From LQWiki
Jump to: navigation, search

When the kernel of the operating system starts up the system when you turn on your computer, you may see a lot of messages from the kernel as it detects devices and checks hardware. You may also see kernel messages during the operation of the operating system.

However, when troubleshooting, it may be difficult to track down these messages later. On Unix and Unix-like operating systems, the dmesg tool prints out these kernel log messages for later reference.

When invoked, it will simply print out all the kernel messages to the standard output. Shell redirection can be used to save this output.

Removing netfilter/iptables messages

I you would like to use dmesg after the system has booted, you may find it full of LOG messages from iptables/netfilter..
dmesg reads the /proc/kmesg kernel ring buffer, as does syslogd. Most firewall programs use LOG rules as their only option, which puts these messages into the ring buffer. Another option for logging exists with the ULOG target.

Intro

Iptables targets LOG & ULOG explained
Changing to ULOG targets in rules will remove messages from /proc/kmesg and make them available in netlink sockets. These can be read with the ulogd daemon.

Several other common packages default to netlink group 1, so netfilter rules should start from group 2 to avoid surprises..

ulogd

ulogd uses /etc/ulogd.conf by default. This needs to be altered to read.

nlgroup 2
logfile /var/log/ulog/ulogd2.log
loglevel 5
rmem 131071
bufsize 150000
plugin /usr/lib/ulogd/ulogd_BASE.so
syslogfile /var/log/ulog/netlink2.log
syslogsync 1
plugin /usr/lib/ulogd/ulogd_LOGEMU.so

logrotate

ulogd stops if the logfile exceeds 2048MB so it needs to be rotated regularly. The ulogd package will include a rotation script, usually placed in /etc/logrotate.d/ This however can't be used when several ulogd daemons are listening on netlink sockets as it signals the running processes badly, assuming only one is ever running, so change the file to read.

/var/log/ulog/*.log {
:missingok
:daily
:rotate 7
:copytruncate
:delaycompress
}

copytuncate is a fast way to rotate a file in position. delaycompress is used so that you can use standard tools on the uncompressed rotated file.

iptables

Now continue with Iptables ULOG Target

How to...

Clear dmesg

dmesg -c

Provided by

Most (all?) Linux distributions incorporate this from the [util-linux] project.

See also