A brief discussion on Android log analysis

【51CTO.com Quick Translation】It is well known that logs play an important role in the entire development life cycle of application products. For example: during the software development process, error logs can help developers identify logical errors in the program in a timely manner; and after the product is released to the market, support engineers can solve various difficult and complicated problems by analyzing error logs. In our commonly used Android system, various logs are centrally managed by default. Of course, there are many tools on the market that can be used to develop Android applications, which allow application developers to write custom log messages and various filters defined by specific log statements. Currently, the Android ecosystem provides different types of logs, including: application logs, system logs, event logs, and radio logs.

The logging system consists of a kernel driver and kernel buffer (for storing Android log messages), C, C++, and Java classes that can be used to create log entries and access log messages, a standalone program that can be used to view log messages (logcat), and components such as viewing logs and filtering log messages from the host (through eclipse or ddms).

The Linux kernel of the Android system has four different log buffers, which provide logging for different parts of the system. For example, through the device node /dev/log in the file system, we can access Android's four log buffers: main, event, radio, and system. The main log is used for applications, event is used for system event information, radio is used for phone related information, and system is related to low-level system messages and debugging.

Each message in the log contains a tag that tells us: which part of the system or application the message came from, the timestamp (when the message arrived), the log level of the message (or the priority of the event the message represents), and the body of the log message itself (detailed description of the error, exception, or information).

Four major log types in the Android system:

1. Application log

• Use the android.util.Log class methods to write messages of different priorities to the log.
• Utilize various Java classes to statically declare their tags as strings and pass them to the logging methods.
• Log methods can be used to identify the "priority" (or log level) of a message.
• Various message retrieval tools (logcat) can filter by identifier or priority when processing logs.

2. System log

• Use the android.util.Slog class to write messages with different priorities and their associated messages.
• Many Android framework classes provide the ability to separate system logs (which can be noisy) from application log messages.
• The formatted message is passed to the kernel driver through the C/C++ library, which can store the message in an appropriate buffer (such as a system buffer).

3. Event Log

• Use the android.util.EventLog class to create event log messages, which are typically in binary format.
• Log entries consist of a binary marker code followed by binary arguments.
• Message tag codes are usually stored in the system's /system/etc/event-log-tags.
• Each message carries a string containing the log message, and a code pointing to the associated (stored) value for that entry.

4. Broadcast log

• Acts on telephone (modem) related information.
• Log entries consist of a binary tag code and a message, and can be used to provide various types of network information.
• The logging system automatically routes messages with specific tags to the radio buffer.

Log format on Android

The common log format in the Android system is: tv_sectv_nsec priority pidtid tag messageLen Message. Among them:

• tag: log tag.
• tv_sec&tv_nsec: Timestamp of the log message.
• pid: The process ID from the log message.
• tid: thread ID.
• The priority values ​​can be arranged in order from low to high according to the following rules:
  • V - Verbose (lowest priority)*
  • D - Debug*
  • I-Information (Info)*
  • W - Warning*
  • E-Error*
  • F - Fatal*
  • S - Silent (highest priority, but does not print anything)*

Log file location

In principle, Android logs (including crash logs) can be stored in multiple places, and there is no requirement for a standardized directory (i.e., specific to the system's ROM). Here, we introduce some commonly used and common directories:

• /data/anr: Dalvik writes a stack trace at ANR, which stands for "Application Not Responding", also known as "Force-Close".
• /data/dontpanic: Some crash logs are included here for various tracking purposes.
• /data/kernelpanics: Logs related to kernel panic are stored here.
• /data/tombstones: This will contain multiple tombstone_nn files (nn is a number from 0 to 10, that is, it needs to be recounted after exceeding 10).

"Log" related command line tools

In actual projects, we can use various applications or command line tools to capture relevant logs generated on Android from devices or emulators, and then share them with various developers or maintainers so that they can conduct in-depth analysis. The following are three commonly used commands:

• adb logcat: displays all types of logs of the current Android system.
• adb logcat -v threadtime: Include date and time in the display.
• adb logcat -v threadtime > logfile.txt: stores logs in logfile.txt.

Useful filter patterns

To reduce the amount of data, you can use the following filter in the adb command (see https://www.pcloudy.com/executing-adb-shell-commands/) to reduce the total amount of logs. Of course, you can also use such filters to search the log files on the user's Android device.

• adb logcat -f: Save all logs to a file.
• adb logcat "*:E": Get all fatal error messages.
• adb logcat | grep -i "foo.example.": Get all logs related to "foo.example.*" and mark them.
• adb logcat "application_or_tag_name:*" "*:S": Get all logs by application name.
• adb logcat -b events "gsm_service_state_change" "*:S": Get all GSM state changes.
• adb logcat -b radio: Get all radio events.

Log analysis

So far, we have a basic understanding of Android's log system. In actual analysis, we usually focus on two types of application logs, which are:

• Debug logs – log files generated during the development and testing phases.
• Production Logs – files generated directly by the end user during the use process.

We can use tools such as GoogleLogTool and SonyLogTool to perform in-depth analysis by adopting filter patterns.

Original title: Android Log Analysis, Author: Bala Murugan

[Translated by 51CTO. Please indicate the original translator and source as 51CTO.com when reprinting on partner sites]