I am learning about journald
and rsyslog
and while reading I saw that rsyslog
reads from /dev/kmsg
and that journald
can read from both /dev/kmsg
and /proc/ksmg
.
I know these are both kernel logs, but what is the difference between /proc/kmsg
and /dev/kmsg
? Why is one appear to be a process and another appear to be a device?
1 Answer
Sorted by:
Highest score (default) Date modified (newest first) Date creat
/proc/kmsg
provides a root-only, read-only, consuming view of the kernel log buffer. It’s equivalent to calling syslog(2) with the SYSLOG_ACTION_READ
action. As mentioned in the proc manpage,
A process must have superuser privileges to read this file, and only one process should read this file. This file should not be read if a syslog process is running which uses the syslog(2) system call facility to log kernel messages.
/dev/kmsg
provides access to the same kernel log buffer, but in an easier-to-use fashion. Reads are tracked per open, so multiple processes can read in parallel, and entries aren’t removed from the buffer as they are read. /dev/kmsg
also provides write access to the log buffer, so it can be used to add entries to the log buffer. See the /dev/kmsg documentation for details.
As for why both are present, and why one is in /proc
(albeit not process-related) and one in dev
, /proc/kmsg
is an old convenience “export” of kernel internals, and /dev/kmsg
is a more recent addition, designed as a usable interface to the log buffer.