-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What systems exist for complex logging and security auditing in the kernel?
For example, let's say I wanted to register my specific code (i.e. a
security module) to log, and adjust to log level N. I also want another
module to log at log level L, which is lower than N. I want to print
logs at log level N..+2 and below to the console, but silently log all
log messages >N+2 to the syslog.
Anything?
If there's nothing, I'll write one. Shouldn't be too hard.
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB9eaGhDd4aOud5P8RAlacAKCBztJpKckHnYHrfyiUxiHOdIBqXACgjuoA
Wk8hEbKRKWSWGsLZ1WGqKto=
=zYCD
-----END PGP SIGNATURE-----
On Tue, 25 Jan 2005 01:26:14 EST, John Richard Moser said:
> For example, let's say I wanted to register my specific code (i.e. a
> security module) to log, and adjust to log level N. I also want another
> module to log at log level L, which is lower than N. I want to print
> logs at log level N..+2 and below to the console, but silently log all
> log messages >N+2 to the syslog.
>
> Anything?
from include/linux/kern.h:
#define KERN_EMERG "<0>" /* system is unusable */
#define KERN_ALERT "<1>" /* action must be taken immediately */
#define KERN_CRIT "<2>" /* critical conditions */
#define KERN_ERR "<3>" /* error conditions */
#define KERN_WARNING "<4>" /* warning conditions */
#define KERN_NOTICE "<5>" /* normal but significant condition */
#define KERN_INFO "<6>" /* informational */
#define KERN_DEBUG "<7>" /* debug-level messages */
Do all your printk in one module at KERN_NOTICE, and the other at KERN_INFO,
and then use klogd and syslogd to route them as you want.
Or use something like syslog-ng to route based on a regexp match, and then
just make sure your printk's include the module name, log everything at one
level, and route matches for 'modulea:' to one place and 'moduleb:' to
another.
Alternatively, use the 'audit' subsystem - but there you'll probably have to
modify the userspace auditd to recognize messages from the various modules and
route them appropriately.
If you're looking for a learning experience rather than getting code
completed, you can probably find a way to use netlink to do it too....
John Richard Moser <[email protected]> wrote:
> What systems exist for complex logging and security auditing in the kernel?
>
> For example, let's say I wanted to register my specific code (i.e. a
> security module) to log, and adjust to log level N. I also want another
> module to log at log level L, which is lower than N. I want to print
> logs at log level N..+2 and below to the console, but silently log all
> log messages >N+2 to the syslog.
The priority level can be adjusted using the printk sysctl.
See Documentation/sysctl/kernel.txt for details.