> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Thursday, September 06, 2012 9:45 AM > To: rsyslog-users > Subject: Re: [rsyslog] Kernel structured logging level and rsyslog > iPriority > > On Thu, 6 Sep 2012, Milan Bartos wrote: > > > Hi all, > > > > I'm currently working on adding structured kernel logging into imklog > module. First brief and devel code is at > https://github.com/mbartos89/rsyslog_changes/commits/imklog, a lot of > code will probably change. > > Structured format is described at > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux- > 2.6.git;a=blob;f=kernel/printk.c;h=1ccc6d986cb391e0d0be4aced84423100446 > 0ff1;hb=e11fea92e13fb91c50bacca799a6131c81929986 around line 130. > > Information are exported in /dev/kmsg and the first line of each > record looks like: > > "level,sequnum,timestamp;<message text>\n". According to comment from > link above, level is e.g. LOG_ERR and that should be the syslog > level/severity (According to Syslog, levels are from 0 (for emergency) > to 7 (debug)). > > However some messages have level over 7 (e.g. 46 as you can see vvv) > > -- log -- > > 7,882,14331700;SELinux: initialized (dev autofs, type autofs), > uses genfs_contexts > > 30,883,15748739;udevd[473]: starting version 182 > > 46,884,16534294;systemd-journald[468]: Fixed max_use=393.4M > max_size=49.1M min_size=64.0K keep_free=196.7M > > 46,885,16534592;systemd-journald[468]: Vacuuming... > > -- end of log -- > > > > My question is: Can i assign this levels to iSeverity of variable of > type msg_t (in rsyslog) even when theese are not between 0 and 7? > > Or could level in kernel log be different that the syslog levels > (LOG_ERR)? > > Or am I completely wrong? > > the syslog severity levels cannot extend beyond 0-7, this is because > the > severity and facility values get combined into one 8 bit value per the > syslog spec. So if you were to assign a larger number it would end up > arriving at the other end looking very wrong.
Yeah, that's forbidden by RFC. I tried to change that in the IETF process, but could not convince enough other folks :-( So you need to map these new facilities into the existing set. > > You may want to take a look at the current development happening in the > v7 > codebase. It's gaining a lot of new features around handling structured > logs, which would include the capability to create new fields in > addition > to the stock ones (but realize that most people processing the logs > will > either only care about the traditional range, or will be completely > ignoring the severity field) It may make sense to add a "!linux!kernel" (or just "!kernel") subtree. This probably also is a question for the lumberjack and/or CEE mailing list. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
