Comment 2 for bug 401433

The klog component of rsyslog has two modes, one reads from the kernel interface (klogctl) and one reads from /proc/kmsg (which secretly uses klogctl). klogctl will only let privileged processes read from it (well, anything that has CAP_SYS_ADMIN).

Ubuntu runs rsyslog unprivileged, but gets around this requirement by running a privileged dd instance that shovels /proc/kmsg to a location that rsyslog can read. Not pretty, but dd is relatively safe and certainly more narrow than running rsyslog with CAP_SYS_ADMIN. As a result, however, the klogctl mode doesn't really work.

The error message you are getting in your strace log is only used in klogctl mode. That mode is triggered by either the config field klogusesyscallinterface (case doesn't matter) or if the pipe /var/run/rsyslog/kmsg doesn't exist when rsyslog runs (it's created by the init script right before staring the daemon).

So... Is that config field set? Do you have any idea why /var/run/rsyslog/kmsg would not exist?

I suspect we should not respect that config field as long as we use the /proc/kmsg shoveling method.