How to Access and Enable Kernel Logs on CentOS/RHEL for TCP Stack Debugging


2 views

When working with CentOS or Red Hat Enterprise Linux systems, kernel logs provide crucial low-level system information, particularly valuable for debugging network stack configurations. Unlike standard application logs, kernel messages require specific handling due to their privileged nature.

The primary methods for viewing kernel logs include:


# View current kernel messages
dmesg

# Follow live kernel messages
dmesg -w

# View persistent kernel logs (systemd systems)
journalctl -k

For long-term logging (especially important when debugging TCP stack issues):


# Configure rsyslog to capture kernel messages
echo "kern.* /var/log/kern.log" | sudo tee /etc/rsyslog.d/kern.conf

# Restart logging service
sudo systemctl restart rsyslog

When tuning TCP parameters in /etc/sysctl.conf, monitor these specific kernel messages:


# Watch for TCP-related kernel messages
dmesg | grep -i 'tcp\|socket\|connection'

# Alternative with journalctl
journalctl -k -g 'tcp|socket|connection' --since "1 hour ago"

For Amazon Linux instances, additional configuration might be needed:


# Ensure console output is enabled (EC2)
sudo service rsyslog start
sudo chkconfig rsyslog on

# Alternative method for older systems
sudo service sysklogd start

Use these techniques for focused debugging:


# Filter by log level (emerg, alert, crit, err, warn, notice, info, debug)
dmesg -l err,warn

# Combine with grep for TCP debugging
dmesg -l err,warn | grep -i tcp

# Monitor specific kernel subsystems
dmesg --facility=kern

When tuning TCP parameters in /etc/sysctl.conf, kernel logs become essential for monitoring stack behavior. Here's how to access them:

# View current kernel messages
dmesg

# Follow real-time kernel logs
journalctl -k --follow

# Persistent logging configuration
sudo vi /etc/rsyslog.conf

For long-term debugging of TCP stack issues, configure rsyslog to persist kernel messages:

# Add to /etc/rsyslog.conf
kern.* /var/log/kernel.log

# Then restart the service
sudo systemctl restart rsyslog

Combine kernel logs with specific TCP monitoring:

# Filter TCP-related kernel messages
dmesg | grep -i tcp

# Monitor SYN queue drops (common tuning issue)
watch -n 1 'netstat -s | grep -i "listen\|overflow"'

# Permanent monitoring setup
echo 'kernel.printk = 7 4 1 7' >> /etc/sysctl.conf
sysctl -p

When increasing net.core.somaxconn, verify through logs:

# Before changes
grep "TCP: backlog overflow" /var/log/kernel.log

# After config changes
sysctl -w net.core.somaxconn=4096
netstat -s | grep overflow

For cloud environments, additional steps may be needed:

# Install EC2 utils if missing
sudo yum install -y awslogs

# Configure CloudWatch for kernel logs
sudo vi /etc/awslogs/awslogs.conf
[general]
state_file = /var/lib/awslogs/agent-state

[kernel]
file = /var/log/kernel.log
log_group_name = /var/log/kernel.log
log_stream_name = {instance_id}