I was wondering if anyone had a good solution for a proper source type for dmesg? Or failing that some way of handling the fact it is different than most other logs in that entries aren't always single lines, and the timestamps are relative to system boot. That makes it difficult for the indexers to assign a time stamp for the entries.
A Forwarder can't read dmesg command outputs. It will be directly monitoring /var/log/dmesg which doesn't contain time stamps.
That's true!
If the UF runs as root you can get continuous dmesg output using scripting input.
I hope somebody can provide a solution to calculate a correct timestamp (if it is relevant).
Hello @scottj1y ,
T + x switches:
switch -x - Decode facility and level (priority) number to human readable prefixes.
switch -T - Print human readable timestamps. The timestamp could be inaccurate!
[root@linux ~]# dmesg -x -T|head
kern :notice: [Fri Mar 27 14:42:48 2020] Linux version 4.19.94-2.xxxx
kern :info : [Fri Mar 27 14:42:48 2020] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.94-2.xxxxx
kern :info : [Fri Mar 27 14:42:48 2020] KERNEL supported cpus:
kern :info : [Fri Mar 27 14:42:48 2020] Intel GenuineIntel
kern :info : [Fri Mar 27 14:42:48 2020] AMD AuthenticAMD
kern :info : [Fri Mar 27 14:42:48 2020] Centaur CentaurHauls
kern :info : [Fri Mar 27 14:42:48 2020] Disabled fast string operations
kern :info : [Fri Mar 27 14:42:48 2020] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
with -T only:
[root@mwg42 ~]# dmesg -T|head
[Fri Mar 27 14:42:49 2020] Linux version 4.19.94-2.xxxx
[Fri Mar 27 14:42:49 2020] Command line: BOOT_IMAGE=xxxx
[Fri Mar 27 14:42:49 2020] KERNEL supported cpus:
[Fri Mar 27 14:42:49 2020] Intel GenuineIntel
[Fri Mar 27 14:42:49 2020] AMD AuthenticAMD
[Fri Mar 27 14:42:49 2020] Centaur CentaurHauls
[Fri Mar 27 14:42:49 2020] Disabled fast string operations
[Fri Mar 27 14:42:49 2020] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
indeed, the dmesg can contain a lot of different log formats, it is difficult to pick one right sourcetype. What about "dmesg"?
Is this for manually executed dmesg commands? If so, then you can just default to "now" as the event _time
, and it would be fine.
No, this is for continuous monitoring like any other log file.