Since: API level 6
public class

AuditLog

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.log.AuditLog

Class Overview

This class provides APIs to log events to be used for forensic analysis of the device. It also provides additional APIs to manage logging, such as enabling, disabling and getting log size and file.

There are 5 different severity grades for the log events (in descending order of severity):

- ALERT a(int, boolean, int, String, String)
- CRITICAL c(int, boolean, int, String, String)
- ERROR e(int, boolean, int, String, String)
- WARNING w(int, boolean, int, String, String)
- NOTICE n(int, boolean, int, String, String)

The appropriate method must be selected according to the event severity above. The parameters must be passed as follow:

- moduleGroup: AUDIT_LOG_GROUP_SECURITY, AUDIT_LOG_GROUP_SYSTEM, AUDIT_LOG_GROUP_NETWORK, AUDIT_LOG_GROUP_EVENTS or AUDIT_LOG_GROUP_APPLICATION
- outcome: the outcome of the event to be logged, whether success (true) or fail (false)
- pid: the pid of the process which generated the event
- swComponent: the class name of the component that generated the event
- logMessage: the message to be logged

Audit log feature works with three different thresholds for managing log storage. These thresholds are Critical, Maximum and Full log size. Critical and Maximum thresholds have a default value of 70% and 90%, respectively, and can be redefined through setCriticalLogSize(int) and setMaximumLogSize(int). Full log size has a fixed value of 97%. These values are percentages related to the total disk space reserved for storing audit logs, for each administrator. Whenever the log storage passes each threshold an intent is sent to warn the administrator. The intents are sent only once when the threshold is passed and only will be sent again after a full dump.

Each message will appear as a line on the log file like the following example:

1695411709231 5/5/1/1360/0/BluetoothUtils/Exchanging data via bluetooth succeeded.

Where:

1695411709231 - Timestamp of the event occurrence. In order to preserve log coherence, administrator may block manual time changing. For more information, please see DateTimePolicy.
5 - Severity.
5 - Module group.
1 - Outcome. 1 for success and 0 for failure.
1360 - Process ID (PID) that triggered the event.
0 - User ID that triggered the event.
BluetoothUtils - Software component where the event occured.
Exchanging data via bluetooth succeeded. - Auditlog message. For all messages being logged by AuditLog, please refer to AuditEvents

NOTE: Before MDM 5.5, any administrator that had enabled audit log is getting logs from all users and containers by default. Since MDM 5.5, administrator will get logs only from user it is installed and container(s) it owns. The only exception to this rule occurs with a device administrator installed at owner (user 0) in a multi-user scenario: logs from other users will also be retrieved by device administrator, keeping compatibility with prior MDM 5.5 implementation.

Since
API level 6
KNOX 1.0

Summary

Constants
String ACTION_AUDIT_CRITICAL_SIZE Broadcast Action: Intent to notify that the log file has reached its critical size.
String ACTION_AUDIT_FULL_SIZE Broadcast Action: Intent to notify that the log file is full and data will start to be overwritten.
String ACTION_AUDIT_MAXIMUM_SIZE Broadcast Action: Intent to notify that the log file has reached its maximum size.
String ACTION_DUMP_LOG_RESULT Broadcast Action: Intent to notify the Dump Log result.
String ACTION_LOG_EXCEPTION Broadcast Action: Intent to notify exception log process.
int AUDIT_LOG_GROUP_APPLICATION To classify log messages related to application events, use application group.
int AUDIT_LOG_GROUP_EVENTS To classify log messages related to general events, use events group.
int AUDIT_LOG_GROUP_NETWORK To classify log messages related to network events, use network group.
int AUDIT_LOG_GROUP_SECURITY To classify log messages related to security events, use security group.
int AUDIT_LOG_GROUP_SYSTEM To classify log messages related to system events, use system group.
int AUDIT_LOG_SEVERITY_ALERT Indicates an Alert severity event.
int AUDIT_LOG_SEVERITY_CRITICAL Indicates a Critical severity event.
int AUDIT_LOG_SEVERITY_ERROR Indicates an Error severity event.
int AUDIT_LOG_SEVERITY_NOTICE Indicates a Notice severity event.
int AUDIT_LOG_SEVERITY_WARNING Indicates a Warning severity event.
int ERROR_NONE Error code to indicate that Dump operation was successful.
int ERROR_UNKNOWN Indicates an unknown error.
String EXTRA_AUDIT_RESULT Extra Data to be Included on Broadcast Intent from AuditLog
Public Methods
static void a(int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)
API to log events with ALERT severity
static void c(int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)
API to log events with CRITICAL severity
boolean disableAuditLog()
API to disable Audit Logs on Device
boolean disableIPTablesLogging()
Deprecated in API level 35
NOTE: This API is not available since Android 12.
boolean dumpLogFile(long begin, long end, String filter, ParcelFileDescriptor outputFile)
API to get audit log information and copy to a file
static void e(int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)
API to log events with ERROR severity
boolean enableAuditLog()
API to enable Audit Logs on Device
boolean enableIPTablesLogging()
Deprecated in API level 35
NOTE: This API is not available since Android 12.
AuditLogRulesInfo getAuditLogRules()
API to get the rules for AuditLog while collecting log information.
int getCriticalLogSize()
API to get critical occupation percentage of audit log file set on device.
int getCurrentLogFileSize()
API to get current size of audit log file on device.
int getMaximumLogSize()
API to get maximum occupation percentage of audit log file set on device.
boolean isAuditLogEnabled()
API to check the status of audit log service on device.
boolean isIPTablesLoggingEnabled()
Deprecated in API level 35
NOTE: This API is not available since Android 12.
static void n(int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)
API to log events with NOTICE severity
boolean setAuditLogRules(AuditLogRulesInfo auditLogRulesInfo)
API to set AuditLog rules used to restrict data logging.
boolean setCriticalLogSize(int percentageValue)
API to set critical occupation percentage of audit log file.
boolean setMaximumLogSize(int percentageValue)
API to set maximum occupation percentage of audit log file.
static void w(int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)
API to log events with WARNING severity
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final String ACTION_AUDIT_CRITICAL_SIZE

Since: API level 6

Broadcast Action: Intent to notify that the log file has reached its critical size.

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.action.AUDIT_CRITICAL_SIZE"

public static final String ACTION_AUDIT_FULL_SIZE

Since: API level 6

Broadcast Action: Intent to notify that the log file is full and data will start to be overwritten.

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.action.AUDIT_FULL_SIZE"

public static final String ACTION_AUDIT_MAXIMUM_SIZE

Since: API level 6

Broadcast Action: Intent to notify that the log file has reached its maximum size.

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.action.AUDIT_MAXIMUM_SIZE"

public static final String ACTION_DUMP_LOG_RESULT

Since: API level 6

Broadcast Action: Intent to notify the Dump Log result. This is a targeted broadcast, sent only to the administrator calling the API. The intent will have the following extra value: EXTRA_AUDIT_RESULT:
ERROR_NONE: Successfully dump
ERROR_UNKNOWN: Error during dump

Permission
Receiver must hold "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.action.DUMP_LOG_RESULT"

public static final String ACTION_LOG_EXCEPTION

Since: API level 6

Broadcast Action: Intent to notify exception log process. The intent will have the following extra value: EXTRA_AUDIT_RESULT:
The value at EXTRA_AUDIT_RESULT is a string containing the stack trace generated by the exception

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.action.LOG_EXCEPTION"

public static final int AUDIT_LOG_GROUP_APPLICATION

Since: API level 6

To classify log messages related to application events, use application group. Used to set the module group at log functions:
a(int, boolean, int, String, String)
c(int, boolean, int, String, String)
e(int, boolean, int, String, String)
n(int, boolean, int, String, String)
w(int, boolean, int, String, String)

Since
API level 6
KNOX 1.0
Constant Value: 5 (0x00000005)

public static final int AUDIT_LOG_GROUP_EVENTS

Since: API level 6

To classify log messages related to general events, use events group. Used to set the module group at log functions:
a(int, boolean, int, String, String)
c(int, boolean, int, String, String)
e(int, boolean, int, String, String)
n(int, boolean, int, String, String)
w(int, boolean, int, String, String)

Since
API level 6
KNOX 1.0
Constant Value: 4 (0x00000004)

public static final int AUDIT_LOG_GROUP_NETWORK

Since: API level 6

To classify log messages related to network events, use network group. Used to set the module group at log functions:
a(int, boolean, int, String, String)
c(int, boolean, int, String, String)
e(int, boolean, int, String, String)
n(int, boolean, int, String, String)
w(int, boolean, int, String, String)

Since
API level 6
KNOX 1.0
Constant Value: 3 (0x00000003)

public static final int AUDIT_LOG_GROUP_SECURITY

Since: API level 6

To classify log messages related to security events, use security group. Used to set the module group at log functions:
a(int, boolean, int, String, String)
c(int, boolean, int, String, String)
e(int, boolean, int, String, String)
n(int, boolean, int, String, String)
w(int, boolean, int, String, String)

Since
API level 6
KNOX 1.0
Constant Value: 1 (0x00000001)

public static final int AUDIT_LOG_GROUP_SYSTEM

Since: API level 6

To classify log messages related to system events, use system group. Used to set the module group at log functions:
a(int, boolean, int, String, String)
c(int, boolean, int, String, String)
e(int, boolean, int, String, String)
n(int, boolean, int, String, String)
w(int, boolean, int, String, String)

Since
API level 6
KNOX 1.0
Constant Value: 2 (0x00000002)

public static final int AUDIT_LOG_SEVERITY_ALERT

Since: API level 17

Indicates an Alert severity event.

Usage
Alert level severity indicates that some action must be taken immediately.
Since
API level 17
KNOX 2.5
Constant Value: 1 (0x00000001)

public static final int AUDIT_LOG_SEVERITY_CRITICAL

Since: API level 17

Indicates a Critical severity event.

Usage
Critical level severity indicates critical conditions events.
Since
API level 17
KNOX 2.5
Constant Value: 2 (0x00000002)

public static final int AUDIT_LOG_SEVERITY_ERROR

Since: API level 17

Indicates an Error severity event.

Usage
Error level severity indicates that some error has occurred.
Since
API level 17
KNOX 2.5
Constant Value: 3 (0x00000003)

public static final int AUDIT_LOG_SEVERITY_NOTICE

Since: API level 17

Indicates a Notice severity event.

Usage
Notice level severity indicates normal, but significant conditions.
Since
API level 17
KNOX 2.5
Constant Value: 5 (0x00000005)

public static final int AUDIT_LOG_SEVERITY_WARNING

Since: API level 17

Indicates a Warning severity event.

Usage
Warning level severity does not indicates an error, but that an error may happen if no action is taken.
Since
API level 17
KNOX 2.5
Constant Value: 4 (0x00000004)

public static final int ERROR_NONE

Since: API level 6

Error code to indicate that Dump operation was successful. dumpLogFile(long, long, String, ParcelFileDescriptor).

Since
API level 6
KNOX 1.0
Constant Value: 0 (0x00000000)

public static final int ERROR_UNKNOWN

Since: API level 6

Indicates an unknown error.

Since
API level 6
KNOX 1.0
Constant Value: -2000 (0xfffff830)

public static final String EXTRA_AUDIT_RESULT

Since: API level 6

Extra Data to be Included on Broadcast Intent from AuditLog

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.extra.AUDIT_RESULT"

Public Methods

public static void a (int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)

Since: API level 6

API to log events with ALERT severity

Parameters
moduleGroup Which of the five available modules group generated the event: AUDIT_LOG_GROUP_APPLICATION , AUDIT_LOG_GROUP_EVENTS, AUDIT_LOG_GROUP_NETWORK, AUDIT_LOG_GROUP_SECURITY and AUDIT_LOG_GROUP_SYSTEM
outcome Result of event that you want to log, success (true) or fail ( false)
pid pid of the process that generated the event
swComponent Class name of the component that generated the event
logMessage Message to log on AuditLog Record
Throws
SecurityException If caller does not have required permissions
Usage
This method will generate an AuditLog record with the ALERT severity.

 try {
     AuditLog.a(AuditLog.AUDIT_LOG_GROUP_APPLICATION, false, android.os.Process.myPid(), this
             .getClass().getSimpleName(),
             "Pairing bluetooth failed. Unable to get device address.");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:

NOTE: This API can only be called statically. The context used for log will always be the administrator's one, even if calling this API for container.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public static void c (int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)

Since: API level 6

API to log events with CRITICAL severity

Parameters
moduleGroup Which of the five available modules group generated the event: AUDIT_LOG_GROUP_APPLICATION , AUDIT_LOG_GROUP_EVENTS, AUDIT_LOG_GROUP_NETWORK, AUDIT_LOG_GROUP_SECURITY and AUDIT_LOG_GROUP_SYSTEM
outcome Result of event that you want to log, success (true) or fail ( false)
pid pid of the process that generated the event
swComponent Class name of the component that generated the event
logMessage Message to log on AuditLog Record
Throws
SecurityException If caller does not have required permissions
Usage
This method will generate an AuditLog record with the CRITICAL severity.

 try {
     AuditLog.c(AuditLog.AUDIT_LOG_GROUP_EVENTS, false, android.os.Process.myPid(),
             this.getClass()
                     .getSimpleName(),
             "Pairing bluetooth failed. Unable to get device address.");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:

NOTE: This API can only be called statically. The context used for log will always be the administrator's one, even if calling this API for container.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public boolean disableAuditLog ()

Since: API level 6

API to disable Audit Logs on Device

Returns
  • Returns true if the service was correctly disabled or false if it was not disabled.
Throws
SecurityException If caller does not have required permissions
Usage
Used to disable AuditLog feature on device.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     boolean ret = auditLog.disableAuditLog();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.disableAuditLog();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User scope

public boolean disableIPTablesLogging ()

Since: API level 6

Deprecated in API level 35
NOTE: This API is not available since Android 12.

API to disable IPTables logging on Device

Returns
  • Returns true if the service was correctly disabled or false if it was not disabled.
Throws
SecurityException If caller does not have required permissions
Usage
Used to disallow IP Tables events to be recorded on AuditLog feature.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     boolean ret = auditLog.disableIPTablesLogging();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditlog = kcm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.disableIPTablesLogging();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public boolean dumpLogFile (long begin, long end, String filter, ParcelFileDescriptor outputFile)

Since: API level 6

API to get audit log information and copy to a file

Parameters
begin Initial timestamp from which the dump must start. Must be entered as a long in Unix format, with miliseconds precision. This count starts at the Unix Epoch on January 1st, 1970.
end Final timestamp until which the dump must go. However, the final timestamp is not include in the log. Must be entered as a long in Unix format, with miliseconds precision. This count starts at the Unix Epoch on January 1st, 1970.
filter Regular expression string to filter results
outputFile ParcelFileDescriptor of the file in which logs will be dumped. For all messages being logged by AuditLog, please refer to AuditEvents
Throws
SecurityException If caller does not have required permissions
If caller has not created ParcelFileDescriptor correctly
Usage
This API receives a ParcelFileDescriptor [outputFile] to indicate where to copy log entries stored in the device, so administrator can have access to the logs. The log entries cannot be accessed directly, as the file in which they are stored is not accessible. The [outputFile] is an unencrypted gzip and it is administrator's responsibility to guarantee security of his ParcelFileDescriptor.

The API also provides entries to specify a time period in the log file to dump [begin][end] and provides a parameter to input a regular expression to be used as filter to the log entries to be dumped [filter]. These functions work independently but can be used combined.

To perform a full dump without filtering, parameters [begin] and [end] MUST be set to -1 and [filter] MUST bet set to null. Be aware that specifying a filter and/or a time period to log will considerably increase the dump time. Also, when specifying a time period, the dump result might be null if that time period generated no logs.

Since dump operation may take several minutes to complete, it happens in an asynchronous way, i.e. the administrator requests the dump and receives an intent ACTION_DUMP_LOG_RESULT informing when the operation is completed. This intent also contains the outcome (success/failure) of the dump process. Parameter [filter] should be null if no regex filter is needed. The ParcelFileDescriptor provided must point to a valid file otherwise the operation will fail and an exception may occur.


NOTE 1: Since Android N(7.0), administrator must dump to current application filesystem, and then move it to Sdcard directory, if necessary. This API is not able to write directly on Sdcard (internal or external) anymore due to Android security limitation.

NOTE 2: Since Android R(11.0), if dump operation is done by a profile owner either at work profile or its parent (user 0) on a company-owned device, some parent profile logs will be redacted/removed due to privacy concern.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 if (auditLog.isAuditLogEnabled()) {
 
     // Set the Filter for Severity Level
     String filterRegex = "*[1-5]/[3]/[0-1]/* .*[1-5]/[3]/[0-1]/.*";
 
     // Set the Begin Time for the output logs
     mBeginDate = new Date();
     long dateBegin = mBeginDate.getTime();
 
     // Set the End Time for the output logs
     mEndDate = new Date(mBeginDate.getTime() + 50000);
     long dateFinal = mEndDate.getTime();
 
     // Dump path for PartialFile into application filesystem
      File dFile = mContext.getFileStreamPath("dump.gz");
 
     // Check if the file already exist
     if (dFile.exists()) {
         dFile.delete();
     }
     // Create new file
     try {
         dFile.createNewFile();
     } catch (IOException e) {
         errorMessage = "Dump failed: " + e.getMessage();
         Log.e(TAG, errorMessage);
     }
     ParcelFileDescriptor outputFile = null;
 
     try {
         outputFile = ParcelFileDescriptor.open(dFile, ParcelFileDescriptor.MODE_READ_WRITE
                 | ParcelFileDescriptor.MODE_CREATE | ParcelFileDescriptor.MODE_TRUNCATE);
 
         boolean ret = auditLog.dumpLogFile(dateBegin, dateFinal, filterRegex, outputFile);
 
     } catch (FileNotFoundException e) {
         Log.w(TAG, "FileNotFoundException: " + e);
     } catch (SecurityException e) {
         Log.w(TAG, "SecurityException: " + e);
     }
 } else {
     Log.w(TAG, "AuditLog is not Running ");
 }

 // Code sample to move the dump file from application internal filesystem to the app folder created in external storage
 String finalPath = mContext.getExternalFilesDir(null).getPath() + "/dump_10278.gz";
 File finalFile = new File(finalPath);
 String mDataFilePath = dFile.getAbsolutePath();
 String mSdcardFilePath = finalFile.getAbsolutePath();
 InputStream in = null;
 OutputStream out = null;

 try { 
    in = new FileInputStream(mDataFilePath);
    out = new FileOutputStream(mSdcardFilePath);

    byte[] buffer = new byte[1024];
    int read;
    while ((read = in.read(buffer)) != -1) {
 	      out.write(buffer, 0, read);
    }
 
    // write the output file
    out.flush();

    // delete the original file
    new File(mDataFilePath).delete();

 }
 
 catch (FileNotFoundException e1) {
     Log.e(TAG, e1.getMessage());
 } catch (IOException e2) {
     Log.e(TAG, e2.getMessage());
 }
 finally {
     if (out != null) {
         out.close();
     }
     if (in != null) {
         in.close();
     }
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 if (auditLog.isAuditLogEnabled()) {
 
     // Set the Filter for Severity Level
     String filterRegex = "*[1-5]/[3]/[0-1]/* .*[1-5]/[3]/[0-1]/.*";

     // Set the Begin Time for the output logs
     mBeginDate = new Date();
     long dateBegin = mBeginDate.getTime();

     // Set the End Time for the output logs
     mEndDate = new Date(mBeginDate.getTime() + 50000);
     long dateFinal = mEndDate.getTime();

     // Dump path for PartialFile into application filesystem
     File dFile = mContext.getFileStreamPath("dump.gz");

     // Create new file
     try {
         dFile.createNewFile();
     } catch (IOException e) {
         errorMessage = "Dump failed: " + e.getMessage();
         Log.e(TAG, errorMessage);
     }

     // Check if the file already exist
     if (dFile.exists()) {
         dFile.delete();
     }

     ParcelFileDescriptor outputFile = null;
     try {
         outputFile = ParcelFileDescriptor.open(dFile, ParcelFileDescriptor.MODE_READ_WRITE
                 | ParcelFileDescriptor.MODE_CREATE | ParcelFileDescriptor.MODE_TRUNCATE);

         boolean ret = auditLog.dumpLogFile(dateBegin, dateFinal, filterRegex, outputFile);

     } catch (FileNotFoundException e) {
         Log.w(TAG, "FileNotFoundException: " + e);
     } catch (SecurityException e) {
         Log.w(TAG, "SecurityException: " + e);
     }
 } else {
     Log.w(TAG, "AuditLog is not Running ");
 }

 // Code sample to move the dump file from application internal filesystem to the app folder created in external storage
 String finalPath = mContext.getExternalFilesDir(null).getPath() + "/dump_10278.gz";
 File finalFile = new File(finalPath);
 String mDataFilePath = dFile.getAbsolutePath();
 String mSdcardFilePath = finalFile.getAbsolutePath();
 InputStream in = null;
 OutputStream out = null;

 try { 
    in = new FileInputStream(mDataFilePath);
    out = new FileOutputStream(mSdcardFilePath);

    byte[] buffer = new byte[1024];
    int read;
    while ((read = in.read(buffer)) != -1) {
 	      out.write(buffer, 0, read);
    }
 
    // write the output file
    out.flush();

    // delete the original file
    new File(mDataFilePath).delete();
 }
 
 catch (FileNotFoundException e1) {
     Log.e(TAG, e1.getMessage());
 } catch (IOException e2) {
     Log.e(TAG, e2.getMessage());
 }
 finally {
     if (in != null) {
         try {
             in.close();
         } catch (IOException e) {
             Log.e(TAG, e.getMessage());
         }
     }
     if (out != null) {
         try {
             out.close();
         } catch (IOException e) {
             Log.e(TAG, e.getMessage());
         }
     }
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public static void e (int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)

Since: API level 6

API to log events with ERROR severity

Parameters
moduleGroup Which of the five available modules group generated the event: AUDIT_LOG_GROUP_APPLICATION , AUDIT_LOG_GROUP_EVENTS, AUDIT_LOG_GROUP_NETWORK, AUDIT_LOG_GROUP_SECURITY and AUDIT_LOG_GROUP_SYSTEM
outcome Result of event that you want to log, success (true) or fail ( false)
pid pid of the process that generated the event
swComponent Class name of the component that generated the event
logMessage Message to log on AuditLog Record
Throws
SecurityException If caller does not have required permissions
Usage
This method will generate an AuditLog record with the ERROR severity.

 try {
     AuditLog.e(AuditLog.AUDIT_LOG_GROUP_SYSTEM, false, android.os.Process.myPid(), this
             .getClass().getSimpleName(),
             "Pairing bluetooth failed. Unable to get device address.");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:

NOTE: This API can only be called statically. The context used for log will always be the administrator's one, even if calling this API for container.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public boolean enableAuditLog ()

Since: API level 6

API to enable Audit Logs on Device

Returns
  • Returns true if the service was correctly started or false if device does not have enough storage available.
Throws
SecurityException If caller does not have required permissions
Usage
Used to enable AuditLog feature on device.

This API reserves 5% of available storage on device for each administrator, limited to a minimum of 10 MB and a maximum of 50 MB. If device does not have the required minimum available storage of 200 MB (5% of 200 == 10), API will return false.



NOTE: Since KNOX 2.6, this policy is no longer supported by Chrome.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     boolean ret = auditLog.enableAuditLog();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.enableAuditLog();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User scope

public boolean enableIPTablesLogging ()

Since: API level 6

Deprecated in API level 35
NOTE: This API is not available since Android 12.

API to enable IPTables Logging on Device

Returns
  • Returns true if the service was correctly started or false if it was not started.
Throws
SecurityException If caller does not have required permissions
Usage
Used to allow IP Tables events to be recorded on AuditLog feature.


NOTE: Since Android R(11.0), if this value is turned on by a profile owner either at work profile or its parent (user 0) on a company-owned device, only the iptable events generated at work profile will be logged due to privacy concern.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     boolean ret = auditLog.enableIPTablesLogging();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.enableIPTablesLogging();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public AuditLogRulesInfo getAuditLogRules ()

Since: API level 17

API to get the rules for AuditLog while collecting log information.

Returns
  • AuditLogRulesInfo profile.
Throws
SecurityException If caller does not have required permissions
Usage
This API allows administrator to retrieve the current AuditLogRulesInfo() profile.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     AuditLogRulesInfo ret = auditLog.getAuditLogRules();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     AuditLogRulesInfo ret = auditLog.getAuditLogRules();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 17
KNOX 2.5
Multiuser Environment
User scope

public int getCriticalLogSize ()

Since: API level 6

API to get critical occupation percentage of audit log file set on device.

Returns
  • Returns the critical log file size (in percentage of full file) set on device.
Throws
SecurityException If caller does not have required permissions
Usage
Used to get the checkpoint set for the Critical Alert to be sent to Admin.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 try {
     int size = auditLog.getCriticalLogSize();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     int size = auditLog.getCriticalLogSize();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public int getCurrentLogFileSize ()

Since: API level 6

API to get current size of audit log file on device.

Returns
  • Returns current size of the log file (in percentage of full file size).
Throws
SecurityException If caller does not have required permissions
Usage
Used to get the current log file size on the AuditLog framework.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     int size = auditLog.getCurrentLogFileSize();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     int size = auditLog.getCurrentLogFileSize();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public int getMaximumLogSize ()

Since: API level 6

API to get maximum occupation percentage of audit log file set on device.

Returns
  • Returns the maximum log file size (in percentage of full file) set on device.
Throws
SecurityException If caller does not have required permissions
Usage
Used to get the checkpoint set for the Maximum Alert to be sent to Admin.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 try {
     int size = auditLog.getMaximumLogSize();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     int size = auditLog.getMaximumLogSize();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public boolean isAuditLogEnabled ()

Since: API level 6

API to check the status of audit log service on device.

Returns
  • Returns true if the service is enabled on device and false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
Used to check whether AuditLog is running on device for a specific admin.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.isAuditLogEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.isAuditLogEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User scope

public boolean isIPTablesLoggingEnabled ()

Since: API level 6

Deprecated in API level 35
NOTE: This API is not available since Android 12.

API to check the status of IPTables logging on device.

Returns
  • Returns true if the service is enabled on device and false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
Used to check whether IP Tables events are being recorded on Audit Log.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 try {
     boolean ret = auditLog.isIPTablesLoggingEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 @knox
 NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
              .getKnoxContainerManager(containerID);
 AuditLog auditlog = kcm.getAuditLogPolicy();

 try {
     boolean ret = auditLog.isIPTablesLoggingEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User scope

public static void n (int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)

Since: API level 6

API to log events with NOTICE severity

Parameters
moduleGroup Which of the five available modules group generated the event: AUDIT_LOG_GROUP_APPLICATION , AUDIT_LOG_GROUP_EVENTS, AUDIT_LOG_GROUP_NETWORK, AUDIT_LOG_GROUP_SECURITY and AUDIT_LOG_GROUP_SYSTEM
outcome Result of event that you want to log, success (true) or fail ( false)
pid pid of the process that generated the event
swComponent Class name of the component that generated the event
logMessage Message to log on AuditLog Record
Throws
SecurityException If caller does not have required permissions
Usage
This method will generate an AuditLog record with the NOTICE severity.

 try {
     AuditLog.n(AuditLog.AUDIT_LOG_GROUP_EVENTS, false, android.os.Process.myPid(),
             this.getClass()
                     .getSimpleName(),
             "Pairing bluetooth failed. Unable to get device address.");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:

NOTE: This API can only be called statically. The context used for log will always be the administrator's one, even if calling this API for container.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public boolean setAuditLogRules (AuditLogRulesInfo auditLogRulesInfo)

Since: API level 17

API to set AuditLog rules used to restrict data logging.

Parameters
auditLogRulesInfo Object containing rules for AuditLog to collect information.
Returns
  • true on AuditLog rules succesfully set, and false otherwise
Throws
SecurityException If caller does not have required permissions
Usage
This API will set a profile for rules using as parameter an AuditLogRulesInfo() object type. The information contained on this profile is used to filter messages that will be stored at AuditLog circular buffer.
The AuditLogRulesInfo parameters are:
Severity: This parameter will provide the minimum value of severity that a message needs to be eligible to be stored. Possible values are:
AUDIT_LOG_SEVERITY_ALERT - Only severity level Alert messages are stored.
AUDIT_LOG_SEVERITY_CRITICAL - Severity level Alert and Critical are stored
AUDIT_LOG_SEVERITY_ERROR - Severity level Alert, Critical and Error are stored
AUDIT_LOG_SEVERITY_WARNING - Severity level Alert, Critical, Error and Warning are stored
AUDIT_LOG_SEVERITY_NOTICE - All Severity levels shall be stored.

Outcome: This parameter select the type of audit information to be stored, regarding its outcome. Administrator must use one of the following values:
AUDIT_LOG_OUTCOME_ALL - All Outcome kind of messages are eligible
AUDIT_LOG_OUTCOME_SUCCESS - Only Outcome Succcess messages are eligible
AUDIT_LOG_OUTCOME_FAILURE - Only Outcome Failure messages are eligible

Groups: This parameter is a list of all module groups that administrator wants information. Groups not on this list will not be logged. Null or empty list means that messages will be stored regardless the group. AuditLog defines module groups as follow:
AUDIT_LOG_GROUP_SECURITY
AUDIT_LOG_GROUP_SYSTEM
AUDIT_LOG_GROUP_NETWORK
AUDIT_LOG_GROUP_EVENTS
AUDIT_LOG_GROUP_APPLICATION

Kernel : Administrator may request all information from kernel to be logged, using boolean value true. Using false will disable this selection.
To avoid collection of unnecessary information causing excessive storage occupation, it is recommended to disable kernel logging.
Disabling kernel will not interfere on collection of necessary data that comes from kernel, including IpTables and Encryption information.


NOTE: Since Android R(11.0), if kernel value is turned on by a profile owner either at work profile or its parent (user 0) on a company-owned device, kernel events will not be logged due to privacy concern.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 List<Integer> groups = new ArrayList<Integer>();
 groups.add(AuditLog.AUDIT_LOG_GROUP_APPLICATION);
 groups.add(AuditLog.AUDIT_LOG_GROUP_SECURITY);
 AuditLogRulesInfo auditLogRulesInfo = new AuditLogRulesInfo(AUDIT_LOG_SEVERITY_ALERT,
         AuditLogRulesInfo.AUDIT_LOG_OUTCOME_RULES_SUCCESS, groups, false);
 
 try {
     boolean ret = auditLog.setAuditLogRules(auditLogRulesInfo);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 List<Integer> groups = new ArrayList<Integer>();
 groups.add(AuditLog.AUDIT_LOG_GROUP_APPLICATION);
 groups.add(AuditLog.AUDIT_LOG_GROUP_SECURITY);
 AuditLogRulesInfo auditLogRulesInfo = new AuditLogRulesInfo(AUDIT_LOG_SEVERITY_ALERT,
         AuditLogRulesInfo.AUDIT_LOG_OUTCOME_RULES_SUCCESS, groups, false);

 try {
     boolean ret = auditLog.setAuditLogRules(auditLogRulesInfo);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 17
KNOX 2.5
Multiuser Environment
User scope

public boolean setCriticalLogSize (int percentageValue)

Since: API level 6

API to set critical occupation percentage of audit log file.

Parameters
percentageValue Percentage Value when the critical log size alert will be sent.
Returns
  • Returns true if the critical size value was successfully set and false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
Used to set a percentage threshold in AuditLog which when reached will send the critical log size alert to the Administrator. The current size counter will always be reset after a full dump because the administrator already dumped every single log, and the counter will only consider new events logged after the last full dump.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 int percent = 70;
 boolean ret = false;
 try {
     if (auditLog.isAuditLogEnabled()) {
         ret = auditLog.setCriticalLogSize(percent);
     } else {
         Log.w(TAG, "AuditLog is not Running ");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 @knox
 NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
              .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 int percent = 70;
 boolean ret = false;
 try {
     if (auditLog.isAuditLogEnabled()) {
         ret = auditLog.setCriticalLogSize(percent);
     } else {
         Log.w(TAG, "AuditLog is not Running ");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public boolean setMaximumLogSize (int percentageValue)

Since: API level 6

API to set maximum occupation percentage of audit log file.

Parameters
percentageValue Percentage Value when the maximum log size alert will be sent.
Returns
  • Returns true if the maximum size value was successfully set and false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
Used to set a percentage threshold in AuditLog which when reached will send the maximum log size alert to the Admin. The current size counter will always be reset after a full dump because the administrator already dumped every single log, and the counter will only consider new events logged after the last full dump.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 AuditLog auditLog = ekm.getAuditLogPolicy();
 
 int percent = 85;
 boolean ret = false;
 try {
     if (auditLog.isAuditLogEnabled()) {
         ret = auditLog.setMaximumLogSize(percent);
     } else {
         Log.w(TAG, "AuditLog is not Running ");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
NOTE: Since KNOX 2.6, AuditLog policy is available for Container.

 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 AuditLog auditLog = kcm.getAuditLogPolicy();

 int percent = 85;
 boolean ret = false;
 try {
     if (auditLog.isAuditLogEnabled()) {
         ret = auditLog.setMaximumLogSize(percent);
     } else {
         Log.w(TAG, "AuditLog is not Running ");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope

public static void w (int moduleGroup, boolean outcome, int pid, String swComponent, String logMessage)

Since: API level 6

API to log events with WARNING severity

Parameters
moduleGroup Which of the five available modules group generated the event: AUDIT_LOG_GROUP_APPLICATION , AUDIT_LOG_GROUP_EVENTS, AUDIT_LOG_GROUP_NETWORK, AUDIT_LOG_GROUP_SECURITY and AUDIT_LOG_GROUP_SYSTEM
outcome Result of event that you want to log, success (true) or fail ( false)
pid pid of the process that generated the event
swComponent Class name of the component that generated the event
logMessage Message to log on AuditLog Record
Throws
SecurityException If caller does not have required permissions
Usage
This method will generate an AuditLog record with the WARNING severity.

 try {
     AuditLog.w(AuditLog.AUDIT_LOG_GROUP_SECURITY, false, android.os.Process.myPid(), this
             .getClass().getSimpleName(),
             "Pairing bluetooth failed. Unable to get device address.");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:

NOTE: This API can only be called statically. The context used for log will always be the administrator's one, even if calling this API for container.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_AUDIT_LOG" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
enableAuditLog()
Multiuser Environment
User scope