6

I'm on a VPS (Ubuntu 14.04.2 LTS, Kernel 3.13.0-042stab094.8, rsyslog 7.4.4-1ubuntu2.5) and kernel.log stays empty with only this line:

rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.

The server was preconfigured with syslogd and klogd from busybox. I deinstalled them and installed rsyslog with apt-get. Everything seemed to work fine. I have entries in all the other logfiles.

I'm not sure if it is relatet to this bug: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1366829

Felix
  • 71
  • 1
  • 1
  • 3

3 Answers3

6

I think the VPS is not a VM, but a container. Unpriviledged cotainers do not have access to kernel log for security reasons.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
4

If you don't need or have insufficient system access to read the kernel log, you can remove the imklog module (which is what attempts to read it)

-module(load="imklog")   # provides kernel logging support
+# module(load="imklog")   # provides kernel logging support

This Answer for the same issue under Docker suggests the following command, which can be incorporated into scripts

sed -i '/imklog/s/^/#/' /etc/rsyslog.conf
ti7
  • 215
  • 2
  • 9
0

Reading from /proc/kmsg require superuser permissions. Did you start rsyslogd as root?

If so, please run the command ls -al /proc/kmsg and paste here the output.

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • /proc/kmsg is owned by (root:root). But what troubles me is, that kernel logginging to kernel.log should work, even when rsyslogd drops privileges, like a ubuntu default installation. I wonder how this is solved. – Felix May 11 '15 at 11:09
  • `/var/log/kernel.log` can very well be root-only writable. This means that if rsyslogd runs with lower privileges, it could not write to it. With which user run your rsyslogd instance? Can you provide `ls -al /proc/ksmg`, `ls -al /var/log/kernel.log` and `ps ax | grep rsyslog`? – shodanshok May 12 '15 at 07:35
  • $ ls -al /proc/kmsg -r-------- 1 root root 0 May 11 08:37 /proc/kmsg $ ls -al /var/log/kern.log -rw-r----- 1 syslog adm 115 May 11 08:37 /var/log/kern.log $ ps auxw | grep rsyslog syslog 332 0.0 0.1 186352 14640 ? Ssl May11 0:07 rsyslogd So kern.log is writeable for rsyslog, but /proc/kmsg is not readable. The question is, how does ubuntu solves this in a default installation? – Felix May 12 '15 at 13:56
  • 2
    On my Ubuntu 12.04 LTS, permissions are precisely as on your machine. Basically, rsyslogd start as root and opens /proc/kmsg, then it drops privileges. It seems that some kernel/rsyslogd combination have problems with the privilege dropping (eg: [read here](https://bugs.launchpad.net/ubuntu/lucid/+source/rsyslog/+bug/523610). You can try to disable the privilege-dropping feature: edit `/etc/rsyslog.conf` and comments the lines with `$PrivDropToUser syslog` and `$PrivDropToGroup syslog`, then restart rsyslogd. – shodanshok May 12 '15 at 14:23