What is the difference between /proc/kmsg and /dev/kmsg?

I am learning about journald and rsyslog and while reading I saw that rsyslog reads from /dev/kmsg and that journald can read from both /dev/kmsg and /proc/ksmg.

I know these are both kernel logs, but what is the difference between /proc/kmsg and /dev/kmsg? Why is one appear to be a process and another appear to be a device?

1 Answer

Sorted by:

                                              Highest score (default)                                                                   Date modified (newest first)                                                                   Date creat

/proc/kmsg provides a root-only, read-only, consuming view of the kernel log buffer. It’s equivalent to calling syslog(2) with the SYSLOG_ACTION_READ action. As mentioned in the proc manpage,

A process must have superuser privileges to read this file, and only one process should read this file. This file should not be read if a syslog process is running which uses the syslog(2) system call facility to log kernel messages.

/dev/kmsg provides access to the same kernel log buffer, but in an easier-to-use fashion. Reads are tracked per open, so multiple processes can read in parallel, and entries aren’t removed from the buffer as they are read. /dev/kmsg also provides write access to the log buffer, so it can be used to add entries to the log buffer. See the /dev/kmsg documentation for details.

As for why both are present, and why one is in /proc (albeit not process-related) and one in dev, /proc/kmsg is an old convenience “export” of kernel internals, and /dev/kmsg is a more recent addition, designed as a usable interface to the log buffer.