syslog, klogctl - read and/or clear kernel message ring buffer; set
/* The glibc interface */
int klogctl(int type, char *bufp, int len);
/* The handcrafted system call */
_syscall3(int, syslog, int, type, char *, bufp, int, len);
int syslog(int type, char *bufp, int len);
If you need the libc function syslog(), (that talks to syslogd(8)),
then look at syslog(3). The system call of this name is about control-
ling the kernel printk() buffer, and the glibc version is called
The type argument determines the action taken by this function.
Quoting from kernel/printk.c:
* Commands to sys_syslog:
* 0 -- Close the log. Currently a NOP.
* 1 -- Open the log. Currently a NOP.
* 2 -- Read from the log.
* 3 -- Read up to the last 4k of messages in the ring buffer.
* 4 -- Read and clear last 4k of messages in the ring buffer
* 5 -- Clear ring buffer.
* 6 -- Disable printk's to console
* 7 -- Enable printk's to console
* 8 -- Set level of messages printed to console
Only function 3 is allowed to non-root processes.
The kernel log buffer
The kernel has a cyclic buffer of length LOG_BUF_LEN (4096, since
1.3.54: 8192, since 2.1.113: 16384) in which messages given as argument
to the kernel function printk() are stored (regardless of their
The call syslog (2,buf,len) waits until this kernel log buffer is
nonempty, and then reads at most len bytes into the buffer buf. It
returns the number of bytes read. Bytes read from the log disappear
from the log buffer: the information can only be read once. This is
the function executed by the kernel when a user program reads
The call syslog (5,dummy,idummy) only executes the `clear ring buffer'
The kernel routine printk() will only print a message on the console,
if it has a loglevel less than the value of the variable con-
sole_loglevel (initially DEFAULT_CONSOLE_LOGLEVEL (7), but set to 10 if
the kernel commandline contains the word `debug', and to 15 in case of
a kernel fault - the 10 and 15 are just silly, and equivalent to 8).
This variable is set (to a value in the range 1-8) by the call syslog
(8,dummy,value). The calls syslog (type,dummy,idummy) with type equal
to 6 or 7, set it to 1 (kernel panics only) or 7 (all except debugging
Every text line in a message has its own loglevel. This level is
DEFAULT_MESSAGE_LOGLEVEL - 1 (6) unless the line starts with <d> where
d is a digit in the range 1-7, in which case the level is d. The con-
ventional meaning of the loglevel is defined in <linux/kernel.h> as
#define KERN_EMERG "<0>" /* system is unusable */
#define KERN_ALERT "<1>" /* action must be taken immediately */
#define KERN_CRIT "<2>" /* critical conditions */
#define KERN_ERR "<3>" /* error conditions */
#define KERN_WARNING "<4>" /* warning conditions */
#define KERN_NOTICE "<5>" /* normal but significant condition */
#define KERN_INFO "<6>" /* informational */
#define KERN_DEBUG "<7>" /* debug-level messages */
In case of error, -1 is returned, and errno is set. Otherwise, for type
equal to 2, 3 or 4, syslog() returns the number of bytes read, and oth-
EPERM An attempt was made to change console_loglevel or clear the ker-
nel message ring buffer by a process without root permissions.
EINVAL Bad parameters.
System call was interrupted by a signal - nothing was read.
(This can be seen only during a trace.)
This system call is Linux specific and should not be used in programs
intended to be portable.
From the very start people noted that it is unfortunate that kernel
call and library routine of the same name are entirely different ani-
mals. In libc4 and libc5 the number of this call was defined by
SYS_klog. In glibc 2.0 the syscall is baptised klogctl.