Blob Blame History Raw
From c036609d34dfbfded9891be83d5e43db0a9feae2 Mon Sep 17 00:00:00 2001
From: Jakub Filak <jfilak@redhat.com>
Date: Mon, 7 Jul 2014 18:11:13 +0200
Subject: [PATCH 4/9] koops: dump oopses from systemd-journal

Resolves rhbz#1059724
---
 configure.ac                         |   3 +
 doc/Makefile.am                      |   1 +
 doc/abrt-dump-journal-oops.txt       |  68 ++++++
 init-scripts/abrt-oops.service       |   4 +-
 po/POTFILES.in                       |   2 +
 src/include/libabrt.h                |  19 ++
 src/lib/kernel.c                     | 103 +++++----
 src/plugins/Makefile.am              |  23 ++
 src/plugins/abrt-dump-journal-oops.c | 394 +++++++++++++++++++++++++++++++++++
 src/plugins/abrt-dump-oops.c         | 313 ++++------------------------
 src/plugins/abrt-journal.c           | 295 ++++++++++++++++++++++++++
 src/plugins/abrt-journal.h           | 110 ++++++++++
 src/plugins/oops-utils.c             | 279 +++++++++++++++++++++++++
 src/plugins/oops-utils.h             |  48 +++++
 15 files changed, 1353 insertions(+), 310 deletions(-)
 create mode 100644 doc/abrt-dump-journal-oops.txt
 create mode 100644 src/plugins/abrt-dump-journal-oops.c
 create mode 100644 src/plugins/abrt-journal.c
 create mode 100644 src/plugins/abrt-journal.h
 create mode 100644 src/plugins/oops-utils.c
 create mode 100644 src/plugins/oops-utils.h

diff --git a/configure.ac b/configure.ac
index c051ec5..03882e9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -140,6 +140,7 @@ PKG_CHECK_MODULES([LIBREPORT_GTK], [libreport-gtk])
 PKG_CHECK_MODULES([POLKIT], [polkit-gobject-1])
 PKG_CHECK_MODULES([GIO], [gio-2.0])
 PKG_CHECK_MODULES([SATYR], [satyr])
+PKG_CHECK_MODULES([SYSTEMD_JOURNAL], [libsystemd-journal])
 
 PKG_PROG_PKG_CONFIG
 AC_ARG_WITH([systemdsystemunitdir],
@@ -167,6 +168,7 @@ AC_CHECK_HEADERS([locale.h])
 CONF_DIR='${sysconfdir}/${PACKAGE_NAME}'
 DEFAULT_CONF_DIR='${datadir}/${PACKAGE_NAME}/conf.d'
 VAR_RUN='${localstatedir}/run'
+VAR_STATE='${localstatedir}/lib/${PACKAGE_NAME}'
 PLUGINS_CONF_DIR='${sysconfdir}/${PACKAGE_NAME}/plugins'
 DEFAULT_PLUGINS_CONF_DIR='${datadir}/${PACKAGE_NAME}/conf.d/plugins'
 EVENTS_DIR='${datadir}/libreport/events'
@@ -255,6 +257,7 @@ AC_ARG_ENABLE([native-unwinder],
 AC_SUBST(CONF_DIR)
 AC_SUBST(DEFAULT_CONF_DIR)
 AC_SUBST(VAR_RUN)
+AC_SUBST(VAR_STATE)
 AC_SUBST(PLUGINS_CONF_DIR)
 AC_SUBST(DEFAULT_PLUGINS_CONF_DIR)
 AC_SUBST(EVENTS_CONF_DIR)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 55cb0f3..064e2ba 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -19,6 +19,7 @@ MAN1_TXT += abrt-action-perform-ccpp-analysis.txt
 MAN1_TXT += abrt-action-notify.txt
 MAN1_TXT += abrt-applet.txt
 MAN1_TXT += abrt-dump-oops.txt
+MAN1_TXT += abrt-dump-journal-oops.txt
 MAN1_TXT += abrt-dump-xorg.txt
 MAN1_TXT += abrt-auto-reporting.txt
 MAN1_TXT += abrt-retrace-client.txt
diff --git a/doc/abrt-dump-journal-oops.txt b/doc/abrt-dump-journal-oops.txt
new file mode 100644
index 0000000..e0b8d79
--- /dev/null
+++ b/doc/abrt-dump-journal-oops.txt
@@ -0,0 +1,68 @@
+abrt-dump-journal-oops(1)
+=========================
+
+NAME
+----
+abrt-dump-journal-oops - Extract oops from systemd-journal
+
+SYNOPSIS
+--------
+'abrt-dump-journal-oops' [-vsoxtf] [-e]/[-c CURSOR] [-d DIR]/[-D]
+
+DESCRIPTION
+-----------
+This tool creates problem directory from oops extracted from systemd-journal.
+The tool can follow systemd-journal and extract oopses in time of their
+occurrence.
+
+The following start from the last seen cursor. If the last seen cursor file
+does not exist, the following start by scanning the entire sytemd-journal or
+from the end if '-e' option is specified.
+
+FILES
+-----
+/etc/abrt/plugins/oops.conf::
+   Configuration file where user can disable detection of non-fatal MCEs
+
+/var/lib/abrt/abrt-dump-journal-oops.state::
+   State file where systemd-journal cursor to the last seen message is saved
+
+OPTIONS
+-------
+-v, --verbose::
+   Be more verbose. Can be given multiple times.
+
+-s::
+   Log to syslog
+
+-o::
+   Print found oopses on standard output
+
+-d DIR::
+   Create new problem directory in DIR for every oops found
+
+-D::
+   Same as -d DumpLocation, DumpLocation is specified in abrt.conf
+
+-s CURSOR::
+   Starts scannig systemd-journal from CURSOR
+
+-e::
+   Starts following systemd-journal from the end
+
+-x::
+   Make the problem directory world readable. Usable only with -d/-D
+
+-t::
+   Throttle problem directory creation to 1 per second
+
+-f::
+   Follow systemd-journal
+
+SEE ALSO
+--------
+abrt.conf(5)
+
+AUTHORS
+-------
+* ABRT team
diff --git a/init-scripts/abrt-oops.service b/init-scripts/abrt-oops.service
index d8ac028..69aaaa9 100644
--- a/init-scripts/abrt-oops.service
+++ b/init-scripts/abrt-oops.service
@@ -4,8 +4,8 @@ After=abrtd.service
 Requisite=abrtd.service
 
 [Service]
-# TODO: do we really need absolute paths here?
-ExecStart=/bin/sh -c '/bin/dmesg | /usr/bin/abrt-dump-oops -xD; exec /usr/bin/abrt-watch-log -F "`/usr/bin/abrt-dump-oops -m`" /var/log/messages -- /usr/bin/abrt-dump-oops -xtD'
+# systemd requires absolute paths to executables
+ExecStart=/usr/bin/abrt-dump-journal-oops -fxtD
 
 [Install]
 WantedBy=multi-user.target
diff --git a/po/POTFILES.in b/po/POTFILES.in
index ff9b97a..160cd8b 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -35,12 +35,14 @@ src/plugins/abrt-action-trim-files.c
 src/plugins/abrt-gdb-exploitable
 src/plugins/abrt-watch-log.c
 src/plugins/abrt-dump-oops.c
+src/plugins/abrt-dump-journal-oops.c
 src/plugins/abrt-dump-xorg.c
 src/plugins/abrt-retrace-client.c
 src/plugins/analyze_LocalGDB.xml.in
 src/plugins/analyze_RetraceServer.xml.in
 src/plugins/collect_xsession_errors.xml.in
 src/plugins/https-utils.c
+src/plugins/oops-utils.c
 src/plugins/bodhi.c
 
 src/hooks/abrt-merge-pstoreoops.c
diff --git a/src/include/libabrt.h b/src/include/libabrt.h
index d6eb4a5..37704dd 100644
--- a/src/include/libabrt.h
+++ b/src/include/libabrt.h
@@ -109,8 +109,27 @@ char *kernel_tainted_long(const char *tainted_short);
 int koops_hash_str_ext(char hash_str[SHA1_RESULT_LEN*2 + 1], const char *oops_buf, int frame_count, int duphas_flags);
 #define koops_hash_str abrt_koops_hash_str
 int koops_hash_str(char hash_str[SHA1_RESULT_LEN*2 + 1], const char *oops_buf);
+
+
+#define koops_line_skip_level abrt_koops_line_skip_level
+int koops_line_skip_level(const char **c);
+#define koops_line_skip_jiffies abrt_koops_line_skip_jiffies
+void koops_line_skip_jiffies(const char **c);
+
+/*
+ * extract_oops tries to find oops signatures in a log
+ */
+struct abrt_koops_line_info {
+    char *ptr;
+    int level;
+};
+
+#define koops_extract_oopses_from_lines abrt_koops_extract_oopses_from_lines
+void koops_extract_oopses_from_lines(GList **oops_list, const struct abrt_koops_line_info *lines_info, int lines_info_size);
 #define koops_extract_oopses abrt_koops_extract_oopses
 void koops_extract_oopses(GList **oops_list, char *buffer, size_t buflen);
+#define koops_suspicious_strings_list abrt_koops_suspicious_strings_list
+GList *koops_suspicious_strings_list(void);
 #define koops_print_suspicious_strings abrt_koops_print_suspicious_strings
 void koops_print_suspicious_strings(void);
 /**
diff --git a/src/lib/kernel.c b/src/lib/kernel.c
index b2d72b6..be80cbc 100644
--- a/src/lib/kernel.c
+++ b/src/lib/kernel.c
@@ -22,21 +22,12 @@
 #define _GNU_SOURCE 1 /* for strcasestr */
 #include "libabrt.h"
 
-/*
- * extract_oops tries to find oops signatures in a log
- */
-
-struct line_info {
-    char *ptr;
-    char level;
-};
-
 /* Used to be 100, but some MCE oopses are short:
  * "CPU 0: Machine Check Exception: 0000000000000007"
  */
 #define SANE_MIN_OOPS_LEN 30
 
-static void record_oops(GList **oops_list, struct line_info* lines_info, int oopsstart, int oopsend)
+static void record_oops(GList **oops_list, const struct abrt_koops_line_info* lines_info, int oopsstart, int oopsend)
 {
     int q;
     int len;
@@ -161,6 +152,15 @@ void koops_print_suspicious_strings(void)
     koops_print_suspicious_strings_filtered(NULL);
 }
 
+GList *koops_suspicious_strings_list(void)
+{
+    GList *strings = NULL;
+    for (const char *const *str = s_koops_suspicious_strings; *str; ++str)
+        strings = g_list_prepend(strings, (gpointer)*str);
+
+    return strings;
+}
+
 static bool match_any(const regex_t **res, const char *str)
 {
     for (const regex_t **r = res; *r != NULL; ++r)
@@ -189,12 +189,57 @@ void koops_print_suspicious_strings_filtered(const regex_t **filterout)
     }
 }
 
+
+void koops_line_skip_jiffies(const char **c)
+{
+    /* remove jiffies time stamp counter if present
+     * jiffies are unsigned long, so it can be 2^64 long, which is
+     * 20 decimal digits
+     */
+    if (**c == '[')
+    {
+        const char *c2 = strchr(*c, '.');
+        const char *c3 = strchr(*c, ']');
+        if (c2 && c3 && (c2 < c3) && (c3-*c) < 21)
+        {
+            *c = c3 + 1;
+            if (**c == ' ')
+                (*c)++;
+        }
+    }
+}
+
+int koops_line_skip_level(const char **c)
+{
+    int linelevel = 0;
+    if (**c == '<')
+    {
+        const char *ptr = *c + 1;
+        while (isdigit(*ptr))
+            ++ptr;
+
+        if (*ptr == '>' && (ptr - *c > 1))
+        {
+            const char *const bck = ptr + 1;
+            unsigned exp = 1;
+            while (--ptr != *c)
+            {
+                linelevel += (*ptr - '0') * exp;
+                exp *= 10;
+            }
+            *c = bck;
+        }
+    }
+
+    return linelevel;
+}
+
 void koops_extract_oopses(GList **oops_list, char *buffer, size_t buflen)
 {
     char *c;
     int linecount = 0;
     int lines_info_size = 0;
-    struct line_info *lines_info = NULL;
+    struct abrt_koops_line_info *lines_info = NULL;
 
     /* Split buffer into lines */
 
@@ -254,28 +299,10 @@ void koops_extract_oopses(GList **oops_list, char *buffer, size_t buflen)
             c = kernel_str + sizeof("kernel: ")-1;
         }
 
-        linelevel = 0;
         /* store and remove kernel log level */
-        if (*c == '<' && c[1] && c[2] == '>')
-        {
-            linelevel = c[1];
-            c += 3;
-        }
-        /* remove jiffies time stamp counter if present
-         * jiffies are unsigned long, so it can be 2^64 long, which is
-         * 20 decimal digits
-         */
-        if (*c == '[')
-        {
-            char *c2 = strchr(c, '.');
-            char *c3 = strchr(c, ']');
-            if (c2 && c3 && (c2 < c3) && (c3-c) < 21)
-            {
-                c = c3 + 1;
-                if (*c == ' ')
-                    c++;
-            }
-        }
+        linelevel = koops_line_skip_level((const char **)&c);
+        koops_line_skip_jiffies((const char **)&c);
+
         if ((lines_info_size & 0xfff) == 0)
         {
             lines_info = xrealloc(lines_info, (lines_info_size + 0x1000) * sizeof(lines_info[0]));
@@ -287,6 +314,12 @@ next_line:
         c = c9 + 1;
     }
 
+    koops_extract_oopses_from_lines(oops_list, lines_info, lines_info_size);
+    free(lines_info);
+}
+
+void koops_extract_oopses_from_lines(GList **oops_list, const struct abrt_koops_line_info *lines_info, int lines_info_size)
+{
     /* Analyze lines */
 
     int i;
@@ -323,8 +356,6 @@ next_line:
             {
                 /* debug information */
                 log_debug("Found oops at line %d: '%s'", oopsstart, lines_info[oopsstart].ptr);
-                if (oopsstart != i)
-                        log_debug("Trigger line is %d: '%s'", i, c);
                 /* try to find the end marker */
                 int i2 = i + 1;
                 while (i2 < lines_info_size && i2 < (i+50))
@@ -471,10 +502,7 @@ next_line:
             record_oops(oops_list, lines_info, oopsstart, oopsstart);
         }
     }
-
-    free(lines_info);
 }
-
 int koops_hash_str_ext(char result[SHA1_RESULT_LEN*2 + 1], const char *oops_buf, int frame_count, int duphash_flags)
 {
     char *hash_str = NULL, *error = NULL;
@@ -507,6 +535,7 @@ int koops_hash_str_ext(char result[SHA1_RESULT_LEN*2 + 1], const char *oops_buf,
         else
             log("Nothing useful for duphash");
 
+
         free(hash_str);
     }
 
diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am
index 14b6fe0..a804f82 100644
--- a/src/plugins/Makefile.am
+++ b/src/plugins/Makefile.am
@@ -15,6 +15,7 @@ bin_SCRIPTS = \
 bin_PROGRAMS = \
     abrt-watch-log \
     abrt-dump-oops \
+    abrt-dump-journal-oops \
     abrt-dump-xorg \
     abrt-action-analyze-c \
     abrt-action-analyze-python \
@@ -97,6 +98,8 @@ EXTRA_DIST = \
     abrt-action-ureport \
     abrt-gdb-exploitable \
     https-utils.h \
+    oops-utils.h \
+    abrt-journal.h \
     post_report.xml.in \
     abrt-action-analyze-ccpp-local.in
 
@@ -120,6 +123,7 @@ abrt_watch_log_LDADD = \
     ../lib/libabrt.la
 
 abrt_dump_oops_SOURCES = \
+    oops-utils.c \
     abrt-dump-oops.c
 abrt_dump_oops_CPPFLAGS = \
     -I$(srcdir)/../include \
@@ -133,6 +137,25 @@ abrt_dump_oops_LDADD = \
     $(LIBREPORT_LIBS) \
     ../lib/libabrt.la
 
+abrt_dump_journal_oops_SOURCES = \
+    oops-utils.c \
+    abrt-journal.c \
+    abrt-dump-journal-oops.c
+abrt_dump_journal_oops_CPPFLAGS = \
+    -I$(srcdir)/../include \
+    -I$(srcdir)/../lib \
+    $(GLIB_CFLAGS) \
+    $(LIBREPORT_CFLAGS) \
+    $(SYSTEMD_JOURNAL_CFLAGS) \
+    -DDEFAULT_DUMP_DIR_MODE=$(DEFAULT_DUMP_DIR_MODE) \
+    -DVAR_STATE=\"$(VAR_STATE)\" \
+    -D_GNU_SOURCE
+abrt_dump_journal_oops_LDADD = \
+    $(GLIB_LIBS) \
+    $(LIBREPORT_LIBS) \
+    $(SYSTEMD_JOURNAL_LIBS) \
+    ../lib/libabrt.la
+
 abrt_dump_xorg_SOURCES = \
     abrt-dump-xorg.c
 abrt_dump_xorg_CPPFLAGS = \
diff --git a/src/plugins/abrt-dump-journal-oops.c b/src/plugins/abrt-dump-journal-oops.c
new file mode 100644
index 0000000..3f1f419
--- /dev/null
+++ b/src/plugins/abrt-dump-journal-oops.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) 2014  ABRT team
+ * Copyright (C) 2014  RedHat Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#include "libabrt.h"
+#include "abrt-journal.h"
+#include "oops-utils.h"
+
+#define ABRT_JOURNAL_WATCH_STATE_FILE VAR_STATE"/abrt-dump-journal-oops.state"
+#define ABRT_JOURNAL_WATCH_STATE_FILE_MODE 0600
+#define ABRT_JOURNAL_WATCH_STATE_FILE_MAX_SZ (4 * 1024)
+
+/* Limit number of buffered lines */
+#define ABRT_JOURNAL_MAX_READ_LINES (1024 * 1024)
+
+/* Forward declarations */
+static void save_abrt_journal_watch_position(abrt_journal_t *journal, const char *file_name);
+
+/*
+ * Koops extractor
+ */
+
+static GList* abrt_journal_extract_kernel_oops(abrt_journal_t *journal)
+{
+    size_t lines_info_count = 0;
+    size_t lines_info_size = 32;
+    struct abrt_koops_line_info *lines_info = xmalloc(lines_info_size * sizeof(lines_info[0]));
+
+    do
+    {
+        const char *line = NULL;
+        if (abrt_journal_get_log_line(journal, &line) < 0)
+            error_msg_and_die(_("Cannot read journal data."));
+
+        if (lines_info_count == lines_info_size)
+        {
+            lines_info_size *= 2;
+            lines_info = xrealloc(lines_info, lines_info_size * sizeof(lines_info[0]));
+        }
+
+        lines_info[lines_info_count].level = koops_line_skip_level(&line);
+        koops_line_skip_jiffies(&line);
+
+        lines_info[lines_info_count].ptr = xstrdup(line);
+
+        ++lines_info_count;
+    }
+    while (lines_info_count < ABRT_JOURNAL_MAX_READ_LINES
+            && abrt_journal_next(journal) > 0);
+
+    GList *oops_list = NULL;
+    koops_extract_oopses_from_lines(&oops_list, lines_info, lines_info_count);
+
+    log_debug("Extracted: %d oopses", g_list_length(oops_list));
+
+    for (size_t i = 0; i < lines_info_count; ++i)
+        free(lines_info[i].ptr);
+
+    free(lines_info);
+
+    return oops_list;
+}
+
+/*
+ * An adatapter of abrt_journal_extract_kernel_oops for abrt_journal_watch_callback
+ */
+struct watch_journald_settings
+{
+    const char *dump_location;
+    int oops_utils_flags;
+};
+
+static void abrt_journal_watch_extract_kernel_oops(abrt_journal_watch_t *watch, void *data)
+{
+    const struct watch_journald_settings *conf = (const struct watch_journald_settings *)data;
+
+    abrt_journal_t *journal = abrt_journal_watch_get_journal(watch);
+
+    /* Give systemd-journal one second to suck in all kernel's strings */
+    if (abrt_oops_signaled_sleep(1) > 0)
+    {
+        abrt_journal_watch_stop(watch);
+        return;
+    }
+
+    GList *oopses = abrt_journal_extract_kernel_oops(journal);
+    abrt_oops_process_list(oopses, conf->dump_location, conf->oops_utils_flags);
+    g_list_free_full(oopses, (GDestroyNotify)free);
+
+    /* Skip stuff which appeared while processing oops as it is not necessary */
+    /* to catch all consecutive oopses (anyway such oopses are almost */
+    /* certainly duplicates of the already extracted ones) */
+    abrt_journal_seek_tail(journal);
+
+    /* In case of disaster, lets make sure we won't read the journal messages */
+    /* again. */
+    save_abrt_journal_watch_position(journal, ABRT_JOURNAL_WATCH_STATE_FILE);
+
+    if (g_abrt_oops_sleep_woke_up_on_signal > 0)
+        abrt_journal_watch_stop(watch);
+}
+
+/*
+ * Koops extractor end
+ */
+
+static void try_restore_abrt_journal_watch_position(abrt_journal_t *journal, const char *file_name)
+{
+    struct stat buf;
+    if (lstat(file_name, &buf) < 0)
+    {
+        if (errno == ENOENT)
+        {
+            /* Only notice because this is expected */
+            log_notice(_("Not restoring journal watch's position: file '%s' does not exist"), file_name);
+            return;
+        }
+
+        perror_msg(_("Cannot restore journal watch's position form file '%s'"), file_name);
+        return;
+    }
+
+    if (!(buf.st_mode & S_IFREG))
+    {
+        error_msg(_("Cannot restore journal watch's position: path '%s' is not regular file"), file_name);
+        return;
+    }
+
+    if (buf.st_size > ABRT_JOURNAL_WATCH_STATE_FILE_MAX_SZ)
+    {
+        error_msg(_("Cannot restore journal watch's position: file '%s' exceeds %dB size limit"),
+                file_name, ABRT_JOURNAL_WATCH_STATE_FILE_MAX_SZ);
+        return;
+    }
+
+    int state_fd = open(file_name, O_RDONLY | O_NOFOLLOW);
+    if (state_fd < 0)
+    {
+        perror_msg(_("Cannot restore journal watch's position: open('%s')"), file_name);
+        return;
+    }
+
+    char *crsr = xmalloc(buf.st_size + 1);
+
+    const int sz = full_read(state_fd, crsr, buf.st_size);
+    if (sz != buf.st_size)
+    {
+        error_msg(_("Cannot restore journal watch's position: cannot read entire file '%s'"), file_name);
+        close(state_fd);
+        return;
+    }
+
+    crsr[sz] = '\0';
+    close(state_fd);
+
+    const int r = abrt_journal_set_cursor(journal, crsr);
+    if (r < 0)
+    {
+        /* abrt_journal_set_cursor() prints error message in verbose mode */
+        error_msg(_("Failed to move the journal to a cursor from file '%s'"), file_name);
+        return;
+    }
+
+    free(crsr);
+}
+
+static void save_abrt_journal_watch_position(abrt_journal_t *journal, const char *file_name)
+{
+    char *crsr = NULL;
+    const int r = abrt_journal_get_cursor(journal, &crsr);
+
+    if (r < 0)
+    {
+        /* abrt_journal_set_cursor() prints error message in verbose mode */
+        error_msg(_("Cannot save journal watch's position"));
+        return;
+    }
+
+    int state_fd = open(file_name,
+            O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW,
+            ABRT_JOURNAL_WATCH_STATE_FILE_MODE);
+
+    if (state_fd < 0)
+    {
+        perror_msg(_("Cannot save journal watch's position: open('%s')"), file_name);
+        return;
+    }
+
+    full_write_str(state_fd, crsr);
+    close(state_fd);
+
+    free(crsr);
+}
+
+static void watch_journald(abrt_journal_t *journal, const char *dump_location, int flags)
+{
+    GList *koops_strings = koops_suspicious_strings_list();
+
+    char *oops_string_filter_regex = abrt_oops_string_filter_regex();
+    if (oops_string_filter_regex)
+    {
+        regex_t filter_re;
+        if (regcomp(&filter_re, oops_string_filter_regex, REG_NOSUB) != 0)
+            perror_msg_and_die(_("Failed to compile regex"));
+
+        GList *iter = koops_strings;
+        while(iter != NULL)
+        {
+            GList *next = g_list_next(iter);
+
+            const int reti = regexec(&filter_re, (const char *)iter->data, 0, NULL, 0);
+            if (reti == 0)
+                koops_strings = g_list_delete_link(koops_strings, iter);
+            else if (reti != REG_NOMATCH)
+            {
+                char msgbuf[100];
+                regerror(reti, &filter_re, msgbuf, sizeof(msgbuf));
+                error_msg_and_die("Regex match failed: %s", msgbuf);
+            }
+
+            iter = next;
+        }
+
+        regfree(&filter_re);
+        free(oops_string_filter_regex);
+    }
+
+    struct watch_journald_settings watch_conf = {
+        .dump_location = dump_location,
+        .oops_utils_flags = flags,
+    };
+
+    struct abrt_journal_watch_notify_strings notify_strings_conf = {
+        .decorated_cb = abrt_journal_watch_extract_kernel_oops,
+        .decorated_cb_data = &watch_conf,
+        .strings = koops_strings,
+    };
+
+    abrt_journal_watch_t *watch = NULL;
+    if (abrt_journal_watch_new(&watch, journal, abrt_journal_watch_notify_strings, &notify_strings_conf) < 0)
+        error_msg_and_die(_("Failed to initialize systemd-journal watch"));
+
+    abrt_journal_watch_run_sync(watch);
+    abrt_journal_watch_free(watch);
+
+    g_list_free(koops_strings);
+}
+
+int main(int argc, char *argv[])
+{
+    /* I18n */
+    setlocale(LC_ALL, "");
+#if ENABLE_NLS
+    bindtextdomain(PACKAGE, LOCALEDIR);
+    textdomain(PACKAGE);
+#endif
+
+    abrt_init(argv);
+
+    /* Can't keep these strings/structs static: _() doesn't support that */
+    const char *program_usage_string = _(
+        "& [-vsoxtf] [-e]/[-c CURSOR] [-d DIR]/[-D]\n"
+        "\n"
+        "Extract oops from systemd-journal\n"
+        "\n"
+        "-c and -e options conflicts because both specifies the first read message.\n"
+        "\n"
+        "-e is useful only for -f because the following of journal starts by reading \n"
+        "the entire journal if the last seen possition is not available.\n"
+        "\n"
+        "The last seen position is saved in "ABRT_JOURNAL_WATCH_STATE_FILE"\n"
+    );
+    enum {
+        OPT_v = 1 << 0,
+        OPT_s = 1 << 1,
+        OPT_o = 1 << 2,
+        OPT_d = 1 << 3,
+        OPT_D = 1 << 4,
+        OPT_x = 1 << 5,
+        OPT_t = 1 << 6,
+        OPT_c = 1 << 7,
+        OPT_e = 1 << 8,
+        OPT_f = 1 << 9,
+    };
+
+    char *cursor = NULL;
+    char *dump_location = NULL;
+
+    /* Keep enum above and order of options below in sync! */
+    struct options program_options[] = {
+        OPT__VERBOSE(&g_verbose),
+        OPT_BOOL(  's', NULL, NULL, _("Log to syslog")),
+        OPT_BOOL(  'o', NULL, NULL, _("Print found oopses on standard output")),
+        /* oopses don't contain any sensitive info, and even
+         * the old koops app was showing the oopses to all users
+         */
+        OPT_STRING('d', NULL, &dump_location, "DIR", _("Create new problem directory in DIR for every oops found")),
+        OPT_BOOL(  'D', NULL, NULL, _("Same as -d DumpLocation, DumpLocation is specified in abrt.conf")),
+        OPT_BOOL(  'x', NULL, NULL, _("Make the problem directory world readable")),
+        OPT_BOOL(  't', NULL, NULL, _("Throttle problem directory creation to 1 per second")),
+        OPT_STRING('c', NULL, &cursor, "CURSOR", _("Start reading systemd-journal from the CURSOR position")),
+        OPT_BOOL(  'e', NULL, NULL, _("Start reading systemd-journal from the end")),
+        OPT_BOOL(  'f', NULL, NULL, _("Follow systemd-journal from the last seen position (if available)")),
+        OPT_END()
+    };
+    unsigned opts = parse_opts(argc, argv, program_options, program_usage_string);
+
+    export_abrt_envvars(0);
+
+    msg_prefix = g_progname;
+    if ((opts & OPT_s) || getenv("ABRT_SYSLOG"))
+    {
+        logmode = LOGMODE_JOURNAL;
+    }
+
+    if ((opts & OPT_c) && (opts & OPT_e))
+        error_msg_and_die(_("You need to specify either -c CURSOR or -e"));
+
+    if (opts & OPT_D)
+    {
+        if (opts & OPT_d)
+            show_usage_and_die(program_usage_string, program_options);
+        load_abrt_conf();
+        dump_location = g_settings_dump_location;
+        g_settings_dump_location = NULL;
+        free_abrt_conf_data();
+    }
+
+    int oops_utils_flags = 0;
+    if ((opts & OPT_x))
+        oops_utils_flags |= ABRT_OOPS_WORLD_READABLE;
+
+    if ((opts & OPT_t))
+        oops_utils_flags |= ABRT_OOPS_THROTTLE_CREATION;
+
+    if ((opts & OPT_o))
+        oops_utils_flags |= ABRT_OOPS_PRINT_STDOUT;
+
+    const char *const env_journal_filter = getenv("ABRT_DUMP_JOURNAL_OOPS_DEBUG_FILTER");
+    static const char *kernel_journal_filter[2] = { 0 };
+    kernel_journal_filter[0] = (env_journal_filter ? env_journal_filter : "SYSLOG_IDENTIFIER=kernel");
+    log_debug("Using journal match: '%s'", kernel_journal_filter[0]);
+
+    abrt_journal_t *journal = NULL;
+    if (abrt_journal_new(&journal))
+        error_msg_and_die(_("Cannot open systemd-journal"));
+
+    if (abrt_journal_set_journal_filter(journal, kernel_journal_filter) < 0)
+        error_msg_and_die(_("Cannot filter systemd-journal to kernel data only"));
+
+    if ((opts & OPT_e) && abrt_journal_seek_tail(journal) < 0)
+        error_msg_and_die(_("Cannot seek to the end of journal"));
+
+    if ((opts & OPT_f))
+    {
+        if (!cursor)
+            try_restore_abrt_journal_watch_position(journal, ABRT_JOURNAL_WATCH_STATE_FILE);
+        else if(abrt_journal_set_cursor(journal, cursor))
+            error_msg_and_die(_("Failed to start watch from cursor '%s'"), cursor);
+
+        watch_journald(journal, dump_location, oops_utils_flags);
+
+        save_abrt_journal_watch_position(journal, ABRT_JOURNAL_WATCH_STATE_FILE);
+    }
+    else
+    {
+        if (cursor && abrt_journal_set_cursor(journal, cursor))
+            error_msg_and_die(_("Failed to set systemd-journal cursor '%s'"), cursor);
+
+        /* Compatibility hack, a watch's callback gets the journal already moved
+         * to a next message.*/
+        abrt_journal_next(journal);
+
+        GList *oopses = abrt_journal_extract_kernel_oops(journal);
+        const int errors = abrt_oops_process_list(oopses, dump_location, oops_utils_flags);
+        g_list_free_full(oopses, (GDestroyNotify)free);
+
+        return errors;
+    }
+
+    abrt_journal_free(journal);
+
+    return EXIT_SUCCESS;
+}
diff --git a/src/plugins/abrt-dump-oops.c b/src/plugins/abrt-dump-oops.c
index 9f0dc87..b1031ea 100644
--- a/src/plugins/abrt-dump-oops.c
+++ b/src/plugins/abrt-dump-oops.c
@@ -1,6 +1,6 @@
 /*
-    Copyright (C) 2011  ABRT team
-    Copyright (C) 2011  RedHat Inc
+    Copyright (C) 2011,2014  ABRT team
+    Copyright (C) 2011,2014  RedHat Inc
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -18,16 +18,7 @@
  */
 #include <syslog.h>
 #include "libabrt.h"
-
-/* How many problem dirs to create at most?
- * Also causes cooldown sleep with -t if exceeded -
- * useful when called from a log watcher.
- */
-#define MAX_DUMPED_DD_COUNT  5
-
-static bool world_readable_dump = false;
-static bool throttle_dd_creation = false;
-static const char *debug_dumps_dir = ".";
+#include "oops-utils.h"
 
 #define MAX_SCAN_BLOCK  (4*1024*1024)
 #define READ_AHEAD          (10*1024)
@@ -69,175 +60,6 @@ static void scan_syslog_file(GList **oops_list, int fd)
     free(buffer);
 }
 
-static char *list_of_tainted_modules(const char *proc_modules)
-{
-    struct strbuf *result = strbuf_new();
-
-    const char *p = proc_modules;
-    for (;;)
-    {
-        const char *end = strchrnul(p, '\n');
-        const char *paren = strchrnul(p, '(');
-        /* We look for a line with this format:
-         * "kvm_intel 126289 0 - Live 0xf829e000 (taint_flags)"
-         * where taint_flags have letters
-         * (flags '+' and '-' indicate (un)loading, we must ignore them).
-         */
-        while (++paren < end)
-        {
-            if ((unsigned)(toupper(*paren) - 'A') <= 'Z'-'A')
-            {
-                strbuf_append_strf(result, result->len == 0 ? "%.*s" : ",%.*s",
-                        (int)(strchrnul(p,' ') - p), p
-                );
-                break;
-            }
-            if (*paren == ')')
-                break;
-        }
-
-        if (*end == '\0')
-            break;
-        p = end + 1;
-    }
-
-    if (result->len == 0)
-    {
-        strbuf_free(result);
-        return NULL;
-    }
-    return strbuf_free_nobuf(result);
-}
-
-static void save_oops_data_in_dump_dir(struct dump_dir *dd, char *oops, const char *proc_modules)
-{
-    char *first_line = oops;
-    char *second_line = (char*)strchr(first_line, '\n'); /* never NULL */
-    *second_line++ = '\0';
-
-    if (first_line[0])
-        dd_save_text(dd, FILENAME_KERNEL, first_line);
-    dd_save_text(dd, FILENAME_BACKTRACE, second_line);
-
-    /* check if trace doesn't have line: 'Your BIOS is broken' */
-    if (strstr(second_line, "Your BIOS is broken"))
-        dd_save_text(dd, FILENAME_NOT_REPORTABLE,
-                _("A kernel problem occurred because of broken BIOS. "
-                  "Unfortunately, such problems are not fixable by kernel maintainers."));
-    /* check if trace doesn't have line: 'Your hardware is unsupported' */
-    else if (strstr(second_line, "Your hardware is unsupported"))
-        dd_save_text(dd, FILENAME_NOT_REPORTABLE,
-                _("A kernel problem occurred, but your hardware is unsupported, "
-                  "therefore kernel maintainers are unable to fix this problem."));
-    else
-    {
-        char *tainted_short = kernel_tainted_short(second_line);
-        if (tainted_short)
-        {
-            log_notice("Kernel is tainted '%s'", tainted_short);
-            dd_save_text(dd, FILENAME_TAINTED_SHORT, tainted_short);
-
-            char *tnt_long = kernel_tainted_long(tainted_short);
-            dd_save_text(dd, FILENAME_TAINTED_LONG, tnt_long);
-            free(tnt_long);
-
-            struct strbuf *reason = strbuf_new();
-            const char *fmt = _("A kernel problem occurred, but your kernel has been "
-                    "tainted (flags:%s). Kernel maintainers are unable to "
-                    "diagnose tainted reports.");
-            strbuf_append_strf(reason, fmt, tainted_short);
-
-            char *modlist = !proc_modules ? NULL : list_of_tainted_modules(proc_modules);
-            if (modlist)
-            {
-                strbuf_append_strf(reason, _(" Tainted modules: %s."), modlist);
-                free(modlist);
-            }
-
-            dd_save_text(dd, FILENAME_NOT_REPORTABLE, reason->buf);
-            strbuf_free(reason);
-            free(tainted_short);
-        }
-    }
-
-    // TODO: add "Kernel oops: " prefix, so that all oopses have recognizable FILENAME_REASON?
-    // kernel oops 1st line may look quite puzzling otherwise...
-    strchrnul(second_line, '\n')[0] = '\0';
-    dd_save_text(dd, FILENAME_REASON, second_line);
-}
-
-/* returns number of errors */
-static unsigned create_oops_dump_dirs(GList *oops_list, unsigned oops_cnt)
-{
-    unsigned countdown = MAX_DUMPED_DD_COUNT; /* do not report hundreds of oopses */
-
-    log_notice("Saving %u oopses as problem dirs", oops_cnt >= countdown ? countdown : oops_cnt);
-
-    char *cmdline_str = xmalloc_fopen_fgetline_fclose("/proc/cmdline");
-    char *fips_enabled = xmalloc_fopen_fgetline_fclose("/proc/sys/crypto/fips_enabled");
-    char *proc_modules = xmalloc_open_read_close("/proc/modules", /*maxsize:*/ NULL);
-    char *suspend_stats = xmalloc_open_read_close("/sys/kernel/debug/suspend_stats", /*maxsize:*/ NULL);
-
-    time_t t = time(NULL);
-    const char *iso_date = iso_date_string(&t);
-    /* dump should be readable by all if we're run with -x */
-    uid_t my_euid = (uid_t)-1L;
-    mode_t mode = DEFAULT_DUMP_DIR_MODE | S_IROTH;
-    /* and readable only for the owner otherwise */
-    if (!world_readable_dump)
-    {
-        mode = DEFAULT_DUMP_DIR_MODE;
-        my_euid = geteuid();
-    }
-
-    pid_t my_pid = getpid();
-    unsigned idx = 0;
-    unsigned errors = 0;
-    while (idx < oops_cnt)
-    {
-        char base[sizeof("oops-YYYY-MM-DD-hh:mm:ss-%lu-%lu") + 2 * sizeof(long)*3];
-        sprintf(base, "oops-%s-%lu-%lu", iso_date, (long)my_pid, (long)idx);
-        char *path = concat_path_file(debug_dumps_dir, base);
-
-        struct dump_dir *dd = dd_create(path, /*uid:*/ my_euid, mode);
-        if (dd)
-        {
-            dd_create_basic_files(dd, /*uid:*/ my_euid, NULL);
-            save_oops_data_in_dump_dir(dd, (char*)g_list_nth_data(oops_list, idx++), proc_modules);
-            dd_save_text(dd, FILENAME_ABRT_VERSION, VERSION);
-            dd_save_text(dd, FILENAME_ANALYZER, "Kerneloops");
-            dd_save_text(dd, FILENAME_TYPE, "Kerneloops");
-            if (cmdline_str)
-                dd_save_text(dd, FILENAME_CMDLINE, cmdline_str);
-            if (proc_modules)
-                dd_save_text(dd, "proc_modules", proc_modules);
-            if (fips_enabled && strcmp(fips_enabled, "0") != 0)
-                dd_save_text(dd, "fips_enabled", fips_enabled);
-            if (suspend_stats)
-                dd_save_text(dd, "suspend_stats", suspend_stats);
-            dd_close(dd);
-            notify_new_path(path);
-        }
-        else
-            errors++;
-
-        free(path);
-
-        if (--countdown == 0)
-            break;
-
-        if (dd && throttle_dd_creation)
-            sleep(1);
-    }
-
-    free(cmdline_str);
-    free(proc_modules);
-    free(fips_enabled);
-    free(suspend_stats);
-
-    return errors;
-}
-
 int main(int argc, char **argv)
 {
     /* I18n */
@@ -267,6 +89,7 @@ int main(int argc, char **argv)
         OPT_m = 1 << 8,
     };
     char *problem_dir = NULL;
+    char *dump_location = NULL;
     /* Keep enum above and order of options below in sync! */
     struct options program_options[] = {
         OPT__VERBOSE(&g_verbose),
@@ -275,7 +98,7 @@ int main(int argc, char **argv)
         /* oopses don't contain any sensitive info, and even
          * the old koops app was showing the oopses to all users
          */
-        OPT_STRING('d', NULL, &debug_dumps_dir, "DIR", _("Create new problem directory in DIR for every oops found")),
+        OPT_STRING('d', NULL, &dump_location, "DIR", _("Create new problem directory in DIR for every oops found")),
         OPT_BOOL(  'D', NULL, NULL, _("Same as -d DumpLocation, DumpLocation is specified in abrt.conf")),
         OPT_STRING('u', NULL, &problem_dir, "PROBLEM", _("Save the extracted information in PROBLEM")),
         OPT_BOOL(  'x', NULL, NULL, _("Make the problem directory world readable")),
@@ -295,26 +118,19 @@ int main(int argc, char **argv)
 
     if (opts & OPT_m)
     {
-        map_string_t *settings = new_map_string();
-
-        load_abrt_plugin_conf_file("oops.conf", settings);
-
-        int only_fatal_mce = 1;
-        try_get_map_string_item_as_bool(settings, "OnlyFatalMCE", &only_fatal_mce);
-
-        free_map_string(settings);
-
-        if (only_fatal_mce)
+        char *oops_string_filter_regex = abrt_oops_string_filter_regex();
+        if (oops_string_filter_regex)
         {
-            regex_t mce_re;
-            if (regcomp(&mce_re, "^Machine .*$", REG_NOSUB) != 0)
+            regex_t filter_re;
+            if (regcomp(&filter_re, oops_string_filter_regex, REG_NOSUB) != 0)
                 perror_msg_and_die(_("Failed to compile regex"));
 
-            const regex_t *filter[] = { &mce_re, NULL };
+            const regex_t *filter[] = { &filter_re, NULL };
 
             koops_print_suspicious_strings_filtered(filter);
 
-            regfree(&mce_re);
+            regfree(&filter_re);
+            free(oops_string_filter_regex);
         }
         else
             koops_print_suspicious_strings();
@@ -327,100 +143,55 @@ int main(int argc, char **argv)
         if (opts & OPT_d)
             show_usage_and_die(program_usage_string, program_options);
         load_abrt_conf();
-        debug_dumps_dir = g_settings_dump_location;
+        dump_location = g_settings_dump_location;
         g_settings_dump_location = NULL;
         free_abrt_conf_data();
     }
 
+    int oops_utils_flags = 0;
+    if ((opts & OPT_x))
+        oops_utils_flags |= ABRT_OOPS_WORLD_READABLE;
+
+    if ((opts & OPT_t))
+        oops_utils_flags |= ABRT_OOPS_THROTTLE_CREATION;
+
+    if ((opts & OPT_o))
+        oops_utils_flags |= ABRT_OOPS_PRINT_STDOUT;
+
     argv += optind;
     if (argv[0])
         xmove_fd(xopen(argv[0], O_RDONLY), STDIN_FILENO);
 
-    world_readable_dump = (opts & OPT_x);
-    throttle_dd_creation = (opts & OPT_t);
-    unsigned errors = 0;
     GList *oops_list = NULL;
     scan_syslog_file(&oops_list, STDIN_FILENO);
 
-    int oops_cnt = g_list_length(oops_list);
-    if (oops_cnt != 0)
+    unsigned errors = 0;
+    if (opts & OPT_u)
     {
-        log("Found oopses: %d", oops_cnt);
-        if (opts & OPT_o)
-        {
-            int i = 0;
-            while (i < oops_cnt)
-            {
-                char *kernel_bt = (char*)g_list_nth_data(oops_list, i++);
-                char *tainted_short = kernel_tainted_short(kernel_bt);
-                if (tainted_short)
-                    log("Kernel is tainted '%s'", tainted_short);
-
-                free(tainted_short);
-                printf("\nVersion: %s", kernel_bt);
-            }
-        }
-        if (opts & (OPT_d|OPT_D))
-        {
-            if (opts & OPT_D)
-            {
-                load_abrt_conf();
-                debug_dumps_dir = g_settings_dump_location;
-            }
-
-            log("Creating problem directories");
-            errors = create_oops_dump_dirs(oops_list, oops_cnt);
-            if (errors)
-                log("%d errors while dumping oopses", errors);
-            /*
-             * This marker in syslog file prevents us from
-             * re-parsing old oopses. The only problem is that we
-             * can't be sure here that the file we are watching
-             * is the same file where syslog(xxx) stuff ends up.
-             */
-            syslog(LOG_WARNING,
-                    "Reported %u kernel oopses to Abrt",
-                    oops_cnt
-            );
-        }
-        if (opts & OPT_u)
+        log("Updating problem directory");
+        switch (g_list_length(oops_list))
         {
-            log("Updating problem directory");
-            switch (oops_cnt)
-            {
-                case 1:
+            case 1:
+                {
+                    struct dump_dir *dd = dd_opendir(problem_dir, /*open for writing*/0);
+                    if (dd)
                     {
-                        struct dump_dir *dd = dd_opendir(problem_dir, /*open for writing*/0);
-                        if (dd)
-                        {
-                            save_oops_data_in_dump_dir(dd, (char *)oops_list->data, /*no proc modules*/NULL);
-                            dd_close(dd);
-                        }
+                        abrt_oops_save_data_in_dump_dir(dd, (char *)oops_list->data, /*no proc modules*/NULL);
+                        dd_close(dd);
                     }
-                    break;
-                default:
-                    error_msg(_("Can't update the problem: more than one oops found"));
-                    break;
-            }
+                }
+                break;
+            default:
+                error_msg(_("Can't update the problem: more than one oops found"));
+                errors = 1;
+                break;
         }
     }
+    else
+        errors = abrt_oops_process_list(oops_list, dump_location, oops_utils_flags);
+
     list_free_with_free(oops_list);
     //oops_list = NULL;
 
-    /* If we are run by a log watcher, this delays log rescan
-     * (because log watcher waits to us to terminate)
-     * and possibly prevents dreaded "abrt storm".
-     */
-    int unreported_cnt = oops_cnt - MAX_DUMPED_DD_COUNT;
-    if (unreported_cnt > 0 && throttle_dd_creation)
-    {
-        /* Quadratic throttle time growth, but careful to not overflow in "n*n" */
-        int n = unreported_cnt > 30 ? 30 : unreported_cnt;
-        n = n * n;
-        if (n > 9)
-            log(_("Sleeping for %d seconds"), n);
-        sleep(n); /* max 15 mins */
-    }
-
     return errors;
 }
diff --git a/src/plugins/abrt-journal.c b/src/plugins/abrt-journal.c
new file mode 100644
index 0000000..472357d
--- /dev/null
+++ b/src/plugins/abrt-journal.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2014  ABRT team
+ * Copyright (C) 2014  RedHat Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#include <unistd.h>
+#include <signal.h>
+#include <poll.h>
+#include <stdlib.h>
+#include <abrt/libabrt.h>
+#include <stdio.h>
+
+#include "abrt-journal.h"
+
+#include <systemd/sd-journal.h>
+
+
+struct abrt_journal
+{
+    sd_journal *j;
+};
+
+int abrt_journal_new(abrt_journal_t **journal)
+{
+    sd_journal *j;
+    const int r = sd_journal_open(&j, SD_JOURNAL_LOCAL_ONLY);
+    if (r < 0)
+    {
+        log_notice("Failed to open journal: %s", strerror(-r));
+        return r;
+    }
+
+    *journal = xzalloc(sizeof(**journal));
+    (*journal)->j = j;
+
+    return 0;
+}
+
+void abrt_journal_free(abrt_journal_t *journal)
+{
+    sd_journal_close(journal->j);
+    journal->j = (void *)0xDEADBEAF;
+
+    free(journal);
+}
+
+int abrt_journal_set_journal_filter(abrt_journal_t *journal, const char *const *journal_filter_list)
+{
+    const char *const *cursor = journal_filter_list;
+
+    while (*cursor)
+    {
+        const int r = sd_journal_add_match(journal->j, *cursor, strlen(*cursor));
+        if (r < 0)
+        {
+            log_notice("Failed to set journal filter: %s", strerror(-r));
+            return r;
+        }
+
+        ++cursor;
+    }
+
+    return 0;
+}
+
+int abrt_journal_get_field(abrt_journal_t *journal, const char *field, const void **value, size_t *value_len)
+{
+    const int r = sd_journal_get_data(journal->j, field, value, value_len);
+    if (r < 0)
+    {
+        log_notice("Failed to read '%s' field: %s", field, strerror(-r));
+        return r;
+    }
+
+    return 0;
+}
+
+int abrt_journal_get_string_field(abrt_journal_t *journal, const char *field, const char **value)
+{
+    size_t value_len;
+    const int r = abrt_journal_get_field(journal, field, (const void **)value, &value_len);
+    if (r < 0)
+    {
+        return r;
+    }
+
+    const size_t pfx_len = strlen(field) + 1;
+    if (value_len < pfx_len)
+    {
+        error_msg("Invalid data format from journal: field data are not prefixed with field name");
+        return -EBADMSG;
+    }
+
+    *value += pfx_len;
+    return 0;
+}
+
+int abrt_journal_get_log_line(abrt_journal_t *journal, const char **line)
+{
+    const int r = abrt_journal_get_string_field(journal, "MESSAGE", line);
+    if (r < 0)
+        log_notice("Cannot read journal data. Exiting");
+
+    return r;
+}
+
+int abrt_journal_get_cursor(abrt_journal_t *journal, char **cursor)
+{
+    const int r = sd_journal_get_cursor(journal->j, cursor);
+
+    if (r < 0)
+    {
+        log_notice("Could not get journal cursor: '%s'", strerror(-r));
+        return r;
+    }
+
+    return 0;
+}
+
+int abrt_journal_set_cursor(abrt_journal_t *journal, const char *cursor)
+{
+    const int r = sd_journal_seek_cursor(journal->j, cursor);
+    if (r < 0)
+    {
+        log_notice("Failed to seek journal to cursor '%s': %s\n", cursor, strerror(-r));
+        return r;
+    }
+
+    return 0;
+}
+
+int abrt_journal_seek_tail(abrt_journal_t *journal)
+{
+    const int r = sd_journal_seek_tail(journal->j);
+    if (r < 0)
+    {
+        log_notice("Failed to seek journal to the end: %s\n", strerror(-r));
+        return r;
+    }
+
+    /* BUG: https://bugzilla.redhat.com/show_bug.cgi?id=979487 */
+    sd_journal_previous_skip(journal->j, 1);
+    return 0;
+}
+
+int abrt_journal_next(abrt_journal_t *journal)
+{
+    const int r = sd_journal_next(journal->j);
+    if (r < 0)
+        log_notice("Failed to iterate to next entry: %s", strerror(-r));
+    return r;
+}
+
+/*
+ * ABRT systemd-journal wrapper end
+ */
+
+static volatile int s_loop_terminated;
+void signal_loop_to_terminate(int signum)
+{
+    signum = signum;
+    s_loop_terminated = 1;
+}
+
+enum abrt_journal_watch_state
+{
+    ABRT_JOURNAL_WATCH_READY,
+    ABRT_JOURNAL_WATCH_STOPPED,
+};
+
+struct abrt_journal_watch
+{
+    abrt_journal_t *j;
+    int state;
+
+    abrt_journal_watch_callback callback;
+    void *callback_data;
+};
+
+int abrt_journal_watch_new(abrt_journal_watch_t **watch, abrt_journal_t *journal, abrt_journal_watch_callback callback, void *callback_data)
+{
+    assert(callback != NULL || !"ABRT watch needs valid callback ptr");
+
+    *watch = xzalloc(sizeof(**watch));
+    (*watch)->j = journal;
+    (*watch)->callback = callback;
+    (*watch)->callback_data = callback_data;
+
+    return 0;
+}
+
+void abrt_journal_watch_free(abrt_journal_watch_t *watch)
+{
+    watch->j = (void *)0xDEADBEAF;
+    free(watch);
+}
+
+abrt_journal_t *abrt_journal_watch_get_journal(abrt_journal_watch_t *watch)
+{
+    return watch->j;
+}
+
+int abrt_journal_watch_run_sync(abrt_journal_watch_t *watch)
+{
+    sigset_t mask;
+    sigfillset(&mask);
+
+    /* Exit gracefully: */
+    /* services usually exit on SIGTERM and SIGHUP */
+    sigdelset(&mask, SIGTERM);
+    signal(SIGTERM, signal_loop_to_terminate);
+    sigdelset(&mask, SIGHUP);
+    signal(SIGHUP, signal_loop_to_terminate);
+    /* Ctrl-C for easier debugging */
+    sigdelset(&mask, SIGINT);
+    signal(SIGINT, signal_loop_to_terminate);
+
+    /* Die on kill $PID */
+    sigdelset(&mask, SIGKILL);
+
+    struct pollfd pollfd;
+    pollfd.fd = sd_journal_get_fd(watch->j->j);
+    pollfd.events = sd_journal_get_events(watch->j->j);
+
+    int r = 0;
+
+    while (!s_loop_terminated && watch->state == ABRT_JOURNAL_WATCH_READY)
+    {
+        r = sd_journal_next(watch->j->j);
+        if (r < 0)
+        {
+            log_warning("Failed to iterate to next entry: %s", strerror(-r));
+            break;
+        }
+        else if (r == 0)
+        {
+            ppoll(&pollfd, 1, NULL, &mask);
+            r = sd_journal_process(watch->j->j);
+            if (r < 0)
+            {
+                log_warning("Failed to get journal changes: %s\n", strerror(-r));
+                break;
+            }
+            continue;
+        }
+
+        watch->callback(watch, watch->callback_data);
+    }
+
+    return r;
+}
+
+void abrt_journal_watch_stop(abrt_journal_watch_t *watch)
+{
+    watch->state = ABRT_JOURNAL_WATCH_STOPPED;
+}
+
+/*
+ * ABRT systemd-journal watch - end
+ */
+
+void abrt_journal_watch_notify_strings(abrt_journal_watch_t *watch, void *data)
+{
+    struct abrt_journal_watch_notify_strings *conf = (struct abrt_journal_watch_notify_strings *)data;
+
+    const char *message = NULL;
+
+    if (abrt_journal_get_string_field(abrt_journal_watch_get_journal(watch), "MESSAGE", &message) < 0)
+        error_msg_and_die("Cannot read journal data.");
+
+    GList *cur = conf->strings;
+    while (cur)
+    {
+        if (strstr(message, cur->data) != NULL)
+            break;
+
+        cur = g_list_next(cur);
+    }
+
+    if (cur)
+        conf->decorated_cb(watch, conf->decorated_cb_data);
+}
+
+/*
+ * ABRT systemd-journal strings notifier - end
+ */
diff --git a/src/plugins/abrt-journal.h b/src/plugins/abrt-journal.h
new file mode 100644
index 0000000..219cf60
--- /dev/null
+++ b/src/plugins/abrt-journal.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2014  ABRT team
+ * Copyright (C) 2014  RedHat Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#ifndef _ABRT_JOURNAL_H_
+#define _ABRT_JOURNAL_H_
+
+#include <glib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * A systemd-journal wrapper
+ * (isolates systemd API in a single compile unit)
+ */
+struct abrt_journal;
+typedef struct abrt_journal abrt_journal_t;
+
+int abrt_journal_new(abrt_journal_t **journal);
+
+void abrt_journal_free(abrt_journal_t *journal);
+
+int abrt_journal_set_journal_filter(abrt_journal_t *journal,
+                                    const char *const *journal_filter_list);
+
+int abrt_journal_get_field(abrt_journal_t *journal,
+                           const char *field,
+                           const void **value,
+                           size_t *value_len);
+
+int abrt_journal_get_string_field(abrt_journal_t *journal,
+                                  const char *field,
+                                  const char **value);
+
+int abrt_journal_get_log_line(abrt_journal_t *journal, const char **line);
+
+int abrt_journal_get_cursor(abrt_journal_t *journal, char **cursor);
+
+int abrt_journal_set_cursor(abrt_journal_t *journal, const char *cursor);
+
+int abrt_journal_seek_tail(abrt_journal_t *journal);
+
+int abrt_journal_next(abrt_journal_t *journal);
+
+/*
+ * A systemd-journal listener which waits for new messages a loop and notifies
+ * them via a call back
+ */
+struct abrt_journal_watch;
+typedef struct abrt_journal_watch abrt_journal_watch_t;
+
+typedef void (* abrt_journal_watch_callback)(struct abrt_journal_watch *watch,
+                                             void *data);
+
+int abrt_journal_watch_new(abrt_journal_watch_t **watch,
+                           abrt_journal_t *journal,
+                           abrt_journal_watch_callback callback,
+                           void *callback_data);
+
+void abrt_journal_watch_free(abrt_journal_watch_t *watch);
+
+/*
+ * Returns the watched journal.
+ */
+abrt_journal_t *abrt_journal_watch_get_journal(abrt_journal_watch_t *watch);
+
+/*
+ * Starts reading journal messages and waiting for new messages in a loop.
+ *
+ * SIGTERM and SIGINT terminates the loop gracefully.
+ */
+int abrt_journal_watch_run_sync(abrt_journal_watch_t *watch);
+
+/*
+ * Can be used to terminate the loop in abrt_journal_watch_run_sync()
+ */
+void abrt_journal_watch_stop(abrt_journal_watch_t *watch);
+
+
+/*
+ * A decorator for abrt_journal_watch call backs which calls the decorated call
+ * back in case where journal message contains a string from the interested
+ * list.
+ */
+struct abrt_journal_watch_notify_strings
+{
+    abrt_journal_watch_callback decorated_cb;
+    void *decorated_cb_data;
+    GList *strings;
+};
+
+void abrt_journal_watch_notify_strings(abrt_journal_watch_t *watch, void *data);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /*_ABRT_JOURNAL_H_*/
diff --git a/src/plugins/oops-utils.c b/src/plugins/oops-utils.c
new file mode 100644
index 0000000..9e2355e
--- /dev/null
+++ b/src/plugins/oops-utils.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2014  ABRT team
+ * Copyright (C) 2014  RedHat Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#include "oops-utils.h"
+#include "libabrt.h"
+
+int abrt_oops_process_list(GList *oops_list, const char *dump_location, int flags)
+{
+    unsigned errors = 0;
+
+    int oops_cnt = g_list_length(oops_list);
+    if (oops_cnt != 0)
+    {
+        log("Found oopses: %d", oops_cnt);
+        if ((flags & ABRT_OOPS_PRINT_STDOUT))
+        {
+            int i = 0;
+            while (i < oops_cnt)
+            {
+                char *kernel_bt = (char*)g_list_nth_data(oops_list, i++);
+                char *tainted_short = kernel_tainted_short(kernel_bt);
+                if (tainted_short)
+                    log("Kernel is tainted '%s'", tainted_short);
+
+                free(tainted_short);
+                printf("\nVersion: %s", kernel_bt);
+            }
+        }
+        if (dump_location != NULL)
+        {
+            log("Creating problem directories");
+            errors = abrt_oops_create_dump_dirs(oops_list, dump_location, flags);
+            if (errors)
+                log("%d errors while dumping oopses", errors);
+            /*
+             * This marker in syslog file prevents us from
+             * re-parsing old oopses. The only problem is that we
+             * can't be sure here that the file we are watching
+             * is the same file where syslog(xxx) stuff ends up.
+             */
+            syslog(LOG_WARNING,
+                    "Reported %u kernel oopses to Abrt",
+                    oops_cnt
+            );
+        }
+    }
+
+    /* If we are run by a log watcher, this delays log rescan
+     * (because log watcher waits to us to terminate)
+     * and possibly prevents dreaded "abrt storm".
+     */
+    int unreported_cnt = oops_cnt - ABRT_OOPS_MAX_DUMPED_COUNT;
+    if (g_abrt_oops_sleep_woke_up_on_signal <= 0 &&
+            (unreported_cnt > 0 && (flags & ABRT_OOPS_THROTTLE_CREATION)))
+    {
+        /* Quadratic throttle time growth, but careful to not overflow in "n*n" */
+        int n = unreported_cnt > 30 ? 30 : unreported_cnt;
+        n = n * n;
+        if (n > 9)
+            log(_("Sleeping for %d seconds"), n);
+        abrt_oops_signaled_sleep(n); /* max 15 mins */
+    }
+
+    return errors;
+}
+
+/* returns number of errors */
+unsigned abrt_oops_create_dump_dirs(GList *oops_list, const char *dump_location, int flags)
+{
+    const int oops_cnt = g_list_length(oops_list);
+    unsigned countdown = ABRT_OOPS_MAX_DUMPED_COUNT; /* do not report hundreds of oopses */
+
+    log_notice("Saving %u oopses as problem dirs", oops_cnt >= countdown ? countdown : oops_cnt);
+
+    char *cmdline_str = xmalloc_fopen_fgetline_fclose("/proc/cmdline");
+    char *fips_enabled = xmalloc_fopen_fgetline_fclose("/proc/sys/crypto/fips_enabled");
+    char *proc_modules = xmalloc_open_read_close("/proc/modules", /*maxsize:*/ NULL);
+    char *suspend_stats = xmalloc_open_read_close("/sys/kernel/debug/suspend_stats", /*maxsize:*/ NULL);
+
+    time_t t = time(NULL);
+    const char *iso_date = iso_date_string(&t);
+    /* dump should be readable by all if we're run with -x */
+    uid_t my_euid = (uid_t)-1L;
+    mode_t mode = DEFAULT_DUMP_DIR_MODE | S_IROTH;
+    /* and readable only for the owner otherwise */
+    if (!(flags & ABRT_OOPS_WORLD_READABLE))
+    {
+        mode = DEFAULT_DUMP_DIR_MODE;
+        my_euid = geteuid();
+    }
+
+    pid_t my_pid = getpid();
+    unsigned idx = 0;
+    unsigned errors = 0;
+    while (idx < oops_cnt)
+    {
+        char base[sizeof("oops-YYYY-MM-DD-hh:mm:ss-%lu-%lu") + 2 * sizeof(long)*3];
+        sprintf(base, "oops-%s-%lu-%lu", iso_date, (long)my_pid, (long)idx);
+        char *path = concat_path_file(dump_location, base);
+
+        struct dump_dir *dd = dd_create(path, /*uid:*/ my_euid, mode);
+        if (dd)
+        {
+            dd_create_basic_files(dd, /*uid:*/ my_euid, NULL);
+            abrt_oops_save_data_in_dump_dir(dd, (char*)g_list_nth_data(oops_list, idx++), proc_modules);
+            dd_save_text(dd, FILENAME_ABRT_VERSION, VERSION);
+            dd_save_text(dd, FILENAME_ANALYZER, "Kerneloops");
+            dd_save_text(dd, FILENAME_TYPE, "Kerneloops");
+            if (cmdline_str)
+                dd_save_text(dd, FILENAME_CMDLINE, cmdline_str);
+            if (proc_modules)
+                dd_save_text(dd, "proc_modules", proc_modules);
+            if (fips_enabled && strcmp(fips_enabled, "0") != 0)
+                dd_save_text(dd, "fips_enabled", fips_enabled);
+            if (suspend_stats)
+                dd_save_text(dd, "suspend_stats", suspend_stats);
+            dd_close(dd);
+            notify_new_path(path);
+        }
+        else
+            errors++;
+
+        free(path);
+
+        if (--countdown == 0)
+            break;
+
+        if (dd && (flags & ABRT_OOPS_THROTTLE_CREATION))
+            if (abrt_oops_signaled_sleep(1) > 0)
+                break;
+    }
+
+    free(cmdline_str);
+    free(proc_modules);
+    free(fips_enabled);
+    free(suspend_stats);
+
+    return errors;
+}
+
+static char *abrt_oops_list_of_tainted_modules(const char *proc_modules)
+{
+    struct strbuf *result = strbuf_new();
+
+    const char *p = proc_modules;
+    for (;;)
+    {
+        const char *end = strchrnul(p, '\n');
+        const char *paren = strchrnul(p, '(');
+        /* We look for a line with this format:
+         * "kvm_intel 126289 0 - Live 0xf829e000 (taint_flags)"
+         * where taint_flags have letters
+         * (flags '+' and '-' indicate (un)loading, we must ignore them).
+         */
+        while (++paren < end)
+        {
+            if ((unsigned)(toupper(*paren) - 'A') <= 'Z'-'A')
+            {
+                strbuf_append_strf(result, result->len == 0 ? "%.*s" : ",%.*s",
+                        (int)(strchrnul(p,' ') - p), p
+                );
+                break;
+            }
+            if (*paren == ')')
+                break;
+        }
+
+        if (*end == '\0')
+            break;
+        p = end + 1;
+    }
+
+    if (result->len == 0)
+    {
+        strbuf_free(result);
+        return NULL;
+    }
+    return strbuf_free_nobuf(result);
+}
+
+void abrt_oops_save_data_in_dump_dir(struct dump_dir *dd, char *oops, const char *proc_modules)
+{
+    char *first_line = oops;
+    char *second_line = (char*)strchr(first_line, '\n'); /* never NULL */
+    *second_line++ = '\0';
+
+    if (first_line[0])
+        dd_save_text(dd, FILENAME_KERNEL, first_line);
+    dd_save_text(dd, FILENAME_BACKTRACE, second_line);
+
+    /* check if trace doesn't have line: 'Your BIOS is broken' */
+    if (strstr(second_line, "Your BIOS is broken"))
+        dd_save_text(dd, FILENAME_NOT_REPORTABLE,
+                _("A kernel problem occurred because of broken BIOS. "
+                  "Unfortunately, such problems are not fixable by kernel maintainers."));
+    /* check if trace doesn't have line: 'Your hardware is unsupported' */
+    else if (strstr(second_line, "Your hardware is unsupported"))
+        dd_save_text(dd, FILENAME_NOT_REPORTABLE,
+                _("A kernel problem occurred, but your hardware is unsupported, "
+                  "therefore kernel maintainers are unable to fix this problem."));
+    else
+    {
+        char *tainted_short = kernel_tainted_short(second_line);
+        if (tainted_short)
+        {
+            log_notice("Kernel is tainted '%s'", tainted_short);
+            dd_save_text(dd, FILENAME_TAINTED_SHORT, tainted_short);
+
+            char *tnt_long = kernel_tainted_long(tainted_short);
+            dd_save_text(dd, FILENAME_TAINTED_LONG, tnt_long);
+            free(tnt_long);
+
+            struct strbuf *reason = strbuf_new();
+            const char *fmt = _("A kernel problem occurred, but your kernel has been "
+                    "tainted (flags:%s). Kernel maintainers are unable to "
+                    "diagnose tainted reports.");
+            strbuf_append_strf(reason, fmt, tainted_short);
+
+            char *modlist = !proc_modules ? NULL : abrt_oops_list_of_tainted_modules(proc_modules);
+            if (modlist)
+            {
+                strbuf_append_strf(reason, _(" Tainted modules: %s."), modlist);
+                free(modlist);
+            }
+
+            dd_save_text(dd, FILENAME_NOT_REPORTABLE, reason->buf);
+            strbuf_free(reason);
+            free(tainted_short);
+        }
+    }
+
+    // TODO: add "Kernel oops: " prefix, so that all oopses have recognizable FILENAME_REASON?
+    // kernel oops 1st line may look quite puzzling otherwise...
+    strchrnul(second_line, '\n')[0] = '\0';
+    dd_save_text(dd, FILENAME_REASON, second_line);
+}
+
+int abrt_oops_signaled_sleep(int seconds)
+{
+    sigset_t set;
+    sigemptyset(&set);
+    sigaddset(&set, SIGTERM);
+    sigaddset(&set, SIGINT);
+    sigaddset(&set, SIGHUP);
+
+    struct timespec timeout;
+    timeout.tv_sec = seconds;
+    timeout.tv_nsec = 0;
+
+    return g_abrt_oops_sleep_woke_up_on_signal = sigtimedwait(&set, NULL, &timeout);
+}
+
+char *abrt_oops_string_filter_regex(void)
+{
+    map_string_t *settings = new_map_string();
+
+    load_abrt_plugin_conf_file("oops.conf", settings);
+
+    int only_fatal_mce = 1;
+    try_get_map_string_item_as_bool(settings, "OnlyFatalMCE", &only_fatal_mce);
+
+    free_map_string(settings);
+
+    if (only_fatal_mce)
+        return xstrdup("^Machine .*$");
+
+    return NULL;
+}
diff --git a/src/plugins/oops-utils.h b/src/plugins/oops-utils.h
new file mode 100644
index 0000000..947f652
--- /dev/null
+++ b/src/plugins/oops-utils.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2014  ABRT team
+ * Copyright (C) 2014  RedHat Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#ifndef _ABRT_OOPS_UTILS_H_
+#define _ABRT_OOPS_UTILS_H_
+
+#include "libabrt.h"
+
+/* How many problem dirs to create at most?
+ * Also causes cooldown sleep with -t if exceeded -
+ * useful when called from a log watcher.
+ */
+#define ABRT_OOPS_MAX_DUMPED_COUNT  5
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum {
+    ABRT_OOPS_THROTTLE_CREATION = 1 << 0,
+    ABRT_OOPS_WORLD_READABLE    = 1 << 1,
+    ABRT_OOPS_PRINT_STDOUT      = 1 << 2,
+};
+
+int g_abrt_oops_sleep_woke_up_on_signal;
+
+int abrt_oops_process_list(GList *oops_list, const char *dump_location, int flags);
+unsigned abrt_oops_create_dump_dirs(GList *oops_list, const char *dump_location, int flags);
+void abrt_oops_save_data_in_dump_dir(struct dump_dir *dd, char *oops, const char *proc_modules);
+int abrt_oops_signaled_sleep(int seconds);
+char *abrt_oops_string_filter_regex(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /*_ABRT_OOPS_UTILS_H_*/
-- 
1.9.3