1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
.TH LOG 5
.CT 1 sa_nonmortals secur
.SH NAME
log \- format of security logging records
.SH SYNOPSIS
.B #include <sys/log.h>
.SH DESCRIPTION
The structure of system log file records
as declared in
.B <sys/log.h>
is
.EX
.ta \w'struct 'u +\w'logbuf 'u +\w'body[LOGLEN]; 'u
struct logbuf {
short len; /* total length of whole record */
short pid; /* process id */
long slug; /* transaction number */
char code; /* kind of record */
char mode; /* sub-kind */
char colon; /* ':', aids sync */
char body[LOGLEN];
};
.EE
The
.BR code
field identifies the kind of record;
for legal values see the include file.
In kernel records the
.B mode
field identifies where in the kernel
the logging record originated,
for user records it contains the minor device number of the
.BI /dev/log/log xx
file used to create the record.
.LP
The
.B body
field contains the logging record proper; its actual length is
determined from the
.B len
field.
In kernel records the
.B body
is a sequence of values,
each prefixed by one or more format bytes according to
the following list.
Multibyte numbers are represented low byte first.
.TP
.B s
Next two bytes are a byte count for following
string.
.TP
.B $
Next one byte is a byte count for following string, which
is typically a file component name.
.TP
.B C
Next byte is a byte count for following string, which is
the command name.
.TP
.B j
Next value is a security label: two bytes of
.B lb_priv
followed by two bytes of index into the kernel's
shared label table for the
lattice value of the label; see
.IR getflab (2).
.TP
.B J
Next value is a security label: two bytes of
.B lb_priv
followed by two bytes of index into the kernel's
shared label table for the
lattice value of the label,
followed by 60 bytes of
bits of the lattice value of the label.
.TP
.I n
Next
.I n
bytes
.RI (n =1,2,3,4)
represent a number.
.TP
.B I
Next bytes name an inode:
two bytes of device followed by two bytes of inumber.
.TP
.B E
The current system call suffered an
.B ELAB
error.
.TP
.B e
Next byte is an
.I errno
code; see
.IR intro (2).
.PP
The various bits of the log mask (see
.IR syslog (2)
are named
.BR LN ,
.BR LS ,
.BR LU ,
.BR LI ,
.BR LD ,
.BR LP ,
.BR LL ,
.BR LA ,
.BR LX ,
.BR LE ,
.BR LT ,
with the same meanings as the corresponding key letters defined in
.IR syslog (8).
.SH FILES
.F /dev/log
.SH "SEE ALSO"
.IR syslog (2),
.IR log (4),
.IR syslog (8)
.SH BUGS
The various kinds of kernel logging records are understandable only
by reading the kernel source code.
.br
It takes 7 bytes, not 4, to name an inode.
|
