The syslog directory implements a communication protocol for gathering and persisting kernel and system logs for VMs. This diagram shows the flow of logs from the VM to the host system.
When maitred starts a VM, it also launches the VM log forwarding service
(vmlog_forwarder). This service listens on a well known port number on the
host system for kernel and userspace logs from VMs. Additionally it listens to
VmStartingUpSignal D-Bus signal from vm_concierge, and starts listening on
a Unix domain socket for logs from crosvm. From each source, log entries are
represented with the LogRecord protobuf message, which is defined in
vm_host.proto.
vmlog_forwarder converts LogRecord messages into an
RFC3164 syslog message and forwards it
either to a VM-specific file in the user cryptohome, or to
the host system's syslog daemon (rsyslogd on Chrome OS). Additionally,
vmlog_forwarder scrubs the contents of each LogRecord to ensure that the
message contents contain only valid UTF-8 code points. Control and
non-character code points are converted into a minimum 3-digit octal
representation while invalid codepoints are replaced with the UTF-8 replacement
character (U+fffd).
vm_syslog is a program that runs inside every VM and acts as the syslog daemon
for that VM, accepting RFC3164 compliant
messages from system processes running inside the VM.
vm_syslog converts all log entries (both kernel and userspace) into
LogRecord messages before sending them out to the vmlog_forwarder service
running on the host system. Readers may notice that vm_syslog accepts RFC3164
messages and vmlog_forwarder produces RFC3164 messages so it might seem
unnecessary to convert those entries into LogRecord messages. However, every
VM is entirely untrusted and we'd prefer to rely on the well-tested protubuf
parsing code instead of trying to roll our own parser for untrusted messages.