Home/ Questions/Q 7570387
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T15:24:44+00:00

I developed my own log processing program. To process logs originated from printk() ,

  • 0

I developed my own log processing program. To process logs originated from printk(), I read from kernel ring buffer like this:

#define _PATH_KLOG "/proc/kmsg"
CGR_INT kernelRingBufferFileDescriptor = open(_PATH_KLOG, O_RDONLY|O_NONBLOCK);
CGR_CHAR kernelLogMessage[MAX_KERNEL_RING_BUFFER + 1] = {'\0'};
while (1)
{
    ...
    read(kernelRingBufferFileDescriptor, kernelLogMessage + residueSize, MAX_KERNEL_RING_BUFFER);
    ...
}

my program is in user space. I remember whenever someone use read() to read data in the ring buffer (like I did above), the part that is read will be cleared from the ring buffer. Is it the case, or is it not?

I am confused about this, since there is always something in the ring buffer, and as a result, my program is very busy processing all these logs. So I am not sure is it because some module is keeping sending logs to me or is it because I read the same logs again and again since logs are not cleared.

TO figure out, I use klogctl() to check the ring buffer:

CGR_CHAR buf[MAX_KERNEL_RING_BUFFER] = {0};
int byteCount = klogctl(4, buf, MAX_KERNEL_RING_BUFFER - 1);    /* 4 -- Read and clear all messages remaining in the ring buffer */
printf("%s %d: data read from kernel ring buffer = \"%s\"\n",__FILE__, __LINE__, buf);

and I keep getting data all the time. Since klogctl() with argument 4 read and clear ring buffer, I kind of believing some module DOES sending logs to me all the time.

Can anyone tell me – does read() clear ring buffer?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Become root and run this cat /proc/kmsg >> File1.txt and cat /proc/kmsg >> File2.txt. Compare File1.txt and File2.txt You will immediately know whether the ring buffer is getting cleared on read() cos cat internally invokes read() anyways!

    Also read about ring buffers and how they behave in the Kernel Documentation here-
    http://www.mjmwired.net/kernel/Documentation/trace/ring-buffer-design.txt

    EDIT: I found something interesting in the book Linux Device Drivers by Jonathan Corbet-

    The printk function writes messages into a circular buffer that is
    __LOG_BUF_LEN bytes long: a value from 4 KB to 1 MB chosen while configuring the kernel. The function then wakes any process that is
    waiting for messages, that is, any process that is sleeping in the
    syslog system call or that is reading /proc/kmsg. These two interfaces
    to the logging engine are almost equivalent, but note that reading
    from /proc/kmsg consumes the data from the log buffer    , whereas the
    syslog system call can optionally return log data while leaving it for
    other processes as well. In general, reading the /proc file is easier
    and is the default behavior for klogd. The dmesg command can be used
    to look at the content of the buffer without flushing it; actually,
    the command returns to stdout the whole content of the buffer, whether
    or not it has already been read

    So in your particular case, if you are using a plain read(), I think the buffer is indeed getting cleared and new data is being constantly written into it and hence you find some data all the time! Kernel experts can correct me here!

    • 0