Bug 592039

Summary: Rklogd is gone and kernel log messages are not being logged by rsyslog
Product: Red Hat Enterprise Linux 5 Reporter: Erinn Looney-Triggs <erinn.looneytriggs>
Component: rsyslogAssignee: Tomas Heinrich <theinric>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.5CC: cww, donhoover, duck, ksrot, mpoole, opensource, pb, plyons, pvrabec, sgrubb, tao, theinric
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Although the previous release of the rsyslog packages replaced rklogd, a daemon that provided kernel logging, with a loadable module, it did not enable this functionality in the configuration. Consequent to this, rsyslog did not log the kernel messages at all. With this update, the /etc/rsyslog.conf configuration file has been corrected to include the "$ModLoad imklog" directive, and the kernel messages are now logged as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 06:08:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 582288    
Bug Blocks: 661149    

Description Erinn Looney-Triggs 2010-05-13 18:08:25 UTC 
While poking around trying to get iptables to log to syslog I noticed that none of the logging messages from the kernel were showing up in any of the log files, odd they used too...

I moved our systems to using rsyslog a while ago in an effort to try and stay ahead of where things were going a bit, and because I wanted tcp transport to our central logging server. Redhat offers this as a technology preview which is as far as I can tell long hand for no support. Anyway all worked well until recently when RHEL 5.5 was released, all of the sudden kernel logs stopped appearing, turns out rsyslog was re-based from 2.x to 3.x (http://rhn.redhat.com/errata/RHBA-2010-0213.html) which is really great because now I don't need stunnel for secure transport any more but rklogd is gone.

Well turns out rklogd disappearance is intentional: 

Version 3.10.0 (rgerhards), 2008-01-07
- rklogd is no longer provided. Its functionality has now been taken over by imklog, a loadable input module. This offers a much better integration into rsyslogd and makes sure that the kernel logger process is brought up and down at the appropriate times


That is great but the default install of rsyslog on RHEL 5.5 no longer has that functionality enabled by default, so no kernel messages for your logs, you can still get them via dmesg. To fix this problem take a look at the imklog module here: http://www.rsyslog.com/doc-imklog.html, but in short dropping the following into your /etc/rsyslog.conf will fix the issue:

#Load the Kernel logging module
$ModLoad imklog

Now I doubt this was intentional, or if it was it needed to be documented in the RHBA so I filed a bug.
Comment 1 Till Maas 2010-05-25 13:27:33 UTC 
This change surprised me very much, too.
Comment 2 Peter Bieringer 2010-06-09 09:01:13 UTC 
Grmml, this is a second major change (besides the timestamp format change https://bugzilla.redhat.com/show_bug.cgi?id=583621), which is incompatible to the old version.

I had not expected that RH QA had not catched such major changes.
Comment 3 Peter Bieringer 2010-06-09 09:40:09 UTC 
Filed SR#2029498 for speed up this issue
Comment 5 Erinn Looney-Triggs 2010-07-12 17:58:20 UTC 
Created Service Request: 2039452
Comment 7 RHEL Program Management 2010-08-09 19:47:44 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 12 Jaromir Hradilek 2010-12-13 09:53:38 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Although the previous release of the rsyslog packages replaced rklogd, a daemon that provided kernel logging, with a loadable module, it did not enable this functionality in the configuration. Consequent to this, rsyslog did not log the kernel messages at all. With this update, the /etc/rsyslog.conf configuration file has been corrected to include the "$ModLoad imklog" directive, and the kernel messages are now logged as expected.
Comment 19 errata-xmlrpc 2012-02-21 06:08:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0228.html