README.auditd
1Auditd Daemon
2
3The audit daemon is a simplified version of its desktop
4counterpart designed to gather the audit logs from the
5audit kernel subsystem. The audit subsystem of the kernel
6includes Linux Security Modules (LSM) messages as well.
7
8To enable the audit subsystem, you must add this to your
9kernel config:
10CONFIG_AUDIT=y
11
12To enable a LSM, you must consult that LSM's documentation, the
13example below is for SELinux:
14CONFIG_SECURITY_SELINUX=y
15
16This does not include possible dependencies that may need to be
17satisfied for that particular LSM.
18
README.property
1The properties that logd and friends react to are:
2
3name type default description
4ro.logd.auditd bool true Enable selinux audit daemon
5ro.logd.auditd.dmesg bool true selinux audit messages sent to dmesg.
6ro.logd.auditd.main bool true selinux audit messages sent to main.
7ro.logd.auditd.events bool true selinux audit messages sent to events.
8persist.logd.security bool false Enable security buffer.
9ro.organization_owned bool false Override persist.logd.security to false
10ro.logd.kernel bool svelte+ Enable klogd daemon
11logd.statistics bool svelte+ Enable logcat -S statistics.
12ro.debuggable number if not "1", logd.statistics &
13 ro.logd.kernel default false.
14logd.logpersistd.enable bool auto Safe to start logpersist daemon service
15logd.logpersistd string persist Enable logpersist daemon, "logcatd"
16 turns on logcat -f in logd context.
17 Responds to logcatd, clear and stop.
18logd.logpersistd.buffer persist logpersistd buffers to collect
19logd.logpersistd.size persist logpersistd size in MB
20logd.logpersistd.rotate_kbytes persist logpersistd outout file size in KB.
21persist.logd.logpersistd string Enable logpersist daemon, "logcatd"
22 turns on logcat -f in logd context.
23persist.logd.logpersistd.buffer all logpersistd buffers to collect
24persist.logd.logpersistd.size 256 logpersistd size in MB
25persist.logd.logpersistd.count 256 sets max number of rotated logs to <count>.
26persist.logd.logpersistd.rotate_kbytes 1024 logpersistd output file size in KB
27persist.logd.size number ro Global default size of the buffer for
28 all log ids at initial startup, at
29 runtime use: logcat -b all -G <value>
30ro.logd.size number svelte default for persist.logd.size. Larger
31 platform default sizes than 256KB are
32 known to not scale well under log spam
33 pressure. Address the spam first,
34 resist increasing the log buffer.
35persist.logd.size.<buffer> number ro Size of the buffer for <buffer> log
36ro.logd.size.<buffer> number svelte default for persist.logd.size.<buffer>
37ro.config.low_ram bool false if true, logd.statistics,
38 ro.logd.kernel default false,
39 logd.size 64K instead of 256K.
40persist.logd.filter string Pruning filter to optimize content.
41 At runtime use: logcat -P "<string>"
42ro.logd.filter string "~! ~1000/!" default for persist.logd.filter.
43 This default means to prune the
44 oldest entries of chattiest UID, and
45 the chattiest PID of system
46 (1000, or AID_SYSTEM).
47log.tag string persist The global logging level, VERBOSE,
48 DEBUG, INFO, WARN, ERROR, ASSERT or
49 SILENT. Only the first character is
50 the key character.
51persist.log.tag string build default for log.tag
52log.tag.<tag> string persist The <tag> specific logging level.
53persist.log.tag.<tag> string build default for log.tag.<tag>
54
55logd.buffer_type string (empty) Set the log buffer type. Current choices are 'simple',
56 'chatty', or 'serialized'. Defaults to 'chatty' if empty.
57
58NB:
59- auto - managed by /init
60- svelte - see ro.config.low_ram for details.
61- svelte+ - If empty, default to true if `ro.config.low_ram == false && ro.debuggable == true`
62- ro - <base property> temporary override, ro.<base property> platform default.
63- persist - <base property> override, persist.<base property> platform default.
64- build - VERBOSE for native, DEBUG for jvm isLoggable, or developer option.
65- number - support multipliers (K or M) for convenience. Range is limited
66 to between 64K and 256M for log buffer sizes. Individual log buffer ids
67 such as main, system, ... override global default.
68- Pruning filter rules are specified as UID, UID/PID or /PID. A '~' prefix indicates that elements
69 matching the rule should be pruned with higher priority otherwise they're pruned with lower
70 priority. All other pruning activity is oldest first. Special case ~! represents an automatic
71 pruning for the noisiest UID as determined by the current statistics. Special case ~1000/!
72 represents pruning of the worst PID within AID_SYSTEM when AID_SYSTEM is the noisiest UID.
73
README.replay.md
1logd can record and replay log messages for offline analysis.
2
3Recording Messages
4------------------
5
6logd has a `RecordingLogBuffer` buffer that records messages to /data/misc/logd/recorded-messages.
7It stores messages in memory until that file is accessible, in order to capture all messages since
8the beginning of boot. It is only meant for logging developers to use and must be manually enabled
9in by adding `RecordingLogBuffer.cpp` to `Android.bp` and setting
10`log_buffer = new SimpleLogBuffer(&reader_list, &log_tags, &log_statistics);` in `main.cpp`.
11
12Recording messages may delay the Log() function from completing and it is highly recommended to make
13the logd socket in `liblog` blocking, by removing `SOCK_NONBLOCK` from the `socket()` call in
14`liblog/logd_writer.cpp`.
15
16Replaying Messages
17------------------
18
19Recorded messages can be replayed offline with the `replay_messages` tool. It runs on host and
20device and supports the following options:
21
221. `interesting` - this prints 'interesting' statistics for each of the log buffer types (simple,
23 chatty, serialized). The statistics are:
24 1. Log Entry Count
25 2. Size (the uncompressed size of the log messages in bytes)
26 3. Overhead (the total cost of the log messages in memory in bytes)
27 4. Range (the range of time that the logs cover in seconds)
282. `memory_usage BUFFER_TYPE` - this prints the memory usage (sum of private dirty pages of the
29 `replay_messages` process). Note that the input file is mmap()'ed as RO/Shared so it does not
30 appear in these dirty pages, and a baseline is taken before allocating the log buffers, so only
31 their contributions are measured. The tool outputs the memory usage every 100,000 messages.
323. `latency BUFFER_TYPE` - this prints statistics of the latency of the Log() function for the given
33 buffer type. It specifically prints the 1st, 2nd, and 3rd quartiles; the 95th, 99th, and 99.99th
34 percentiles; and the maximum latency.
354. `print_logs BUFFER_TYPE [buffers] [print_point]` - this prints the logs as processed by the given
36 buffer_type from the buffers specified by `buffers` starting after the number of logs specified by
37 `print_point` have been logged. This acts as if a user called `logcat` immediately after the
38 specified logs have been logged, which is particularly useful since it will show the chatty
39 pruning messages at that point. It additionally prints the statistics from `logcat -S` after the
40 logs.
41 `buffers` is a comma separated list of the numeric buffer id values from `<android/log.h>`. For
42 example, `0,1,3` represents the main, radio, and system buffers. It can can also be `all`.
43 `print_point` is an positive integer. If it is unspecified, logs are printed after the entire
44 input file is consumed.
455. `nothing BUFFER_TYPE` - this does nothing other than read the input file and call Log() for the
46 given buffer type. This is used for profiling CPU usage of strictly the log buffer.
47