imklog: Kernel Log Input Module

Module Name:

imklog

Author:

Rainer Gerhards <rgerhards@adiscon.com>

Purpose

Reads messages from the kernel log and submits them to the syslog engine.

Configuration Parameters

Note

Parameter names are case-insensitive; camelCase is recommended for readability.

Module Parameters

Parameter

Summary

InternalMsgFacility

Sets the facility used for messages that imklog generates internally.

PermitNonKernelFacility

Controls whether imklog submits kernel log messages that use non-kernel facilities.

ConsoleLogLevel

Filters kernel console messages, printing only those with a severity up to the configured level.

ParseKernelTimestamp

Parses kernel-provided timestamps and uses them as the message time instead of the receive time.

KeepKernelTimestamp

Keeps the kernel-supplied timestamp prefix in each message when kernel timestamps are parsed.

LogPath

Specifies the kernel log device or file that imklog reads.

RatelimitInterval

Sets the interval window for the imklog rate limiter in seconds.

RatelimitBurst

Specifies how many messages imklog can emit within the configured rate-limiting interval.

Caveats/Known Bugs

This is obviously platform specific and requires platform drivers. Currently, imklog functionality is available on Linux and BSD.

This module is not supported on Solaris and not needed there. For Solaris kernel input, use imsolaris.

Example 1

The following sample pulls messages from the kernel log. All parameters are left by default, which is usually a good idea. Please note that loading the plugin is sufficient to activate it. No directive is needed to start pulling kernel messages.

module(load="imklog")

Example 2

The following sample adds a ratelimiter. The burst and interval are set high to allow for a large volume of messages on boot.

module(load="imklog" RatelimitBurst="5000" RatelimitInterval="5")

Unsupported obsolete legacy directives

$DebugPrintKernelSymbols on/off

Linux only, ignored on other platforms (but may be specified). Defaults to off.

$klogLocalIPIF

This directive is no longer supported. Instead, use the global $localHostIPIF directive instead.

$klogUseSyscallInterface on/off

Linux only, ignored on other platforms (but may be specified). Defaults to off.

$klogSymbolsTwice on/off

Linux only, ignored on other platforms (but may be specified). Defaults to off.

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.