I am learning about journald
and rsyslog
and while reading I saw that rsyslog
reads from /dev/kmsg
and that journald
can read from both /dev/kmsg
and /proc/ksmg
.
I know these are both kernel logs, but what is the difference between /proc/kmsg
and /dev/kmsg
? Why is one appear to be a process and another appear to be a device?
Best Answer
/proc/kmsg
provides a root-only, read-only, consuming view of the kernel log buffer. It’s equivalent to callingsyslog(2)
with theSYSLOG_ACTION_READ
action. As mentioned in theproc
manpage,/dev/kmsg
provides access to the same kernel log buffer, but in an easier-to-use fashion. Reads are tracked per open, so multiple processes can read in parallel, and entries aren’t removed from the buffer as they are read./dev/kmsg
also provides write access to the log buffer, so it can be used to add entries to the log buffer. See the/dev/kmsg
documentation for details.As for why both are present, and why one is in
/proc
(albeit not process-related) and one indev
,/proc/kmsg
is an old convenience “export” of kernel internals, and/dev/kmsg
is a more recent addition, designed as a usable interface to the log buffer.