How to parse kernel coredump for dmesg logs?

Question

I want to read dmesg logs that are present in the kernel core file. The usual way is to make use of a utility like crash to open the core file with a corresponding vmlinux.

If I am not wrong, reading the dmesg logs from a core file has no symbol dependency and hence no vmlinux dependency.

Secondly, the running system may not have any utilities available to open core files. So I want to implement my own script/utility that can open the core file as a normal file and parse it to dump the dmesg logs.

Is it possible? If yes, what's the format of the core file, so that I can locate where the dmesg starts and end?

Answer 1

The crash tool has in his interactive prompt the command log to display the kernel message buffer (Analyzing a core dump). You'll find the source under crash-utility/crash and may proceed further with searching for log_buf.

What's the format of the core file, so that I can locate where the dmesg starts and end?

It seems that "the core dump file format is using the ELF format but is not described in the ELF standard."

You may also find further information for "How to analyze Linux memory or core dumps" within the Volatility Framework and which is written in Python. In example search for dmesg.

Answer 2

I don't believe the coredump file has kernel logs in in, if it had strings should've printed that out. What I think crash does is to print out the content in the kernel ring buffer to the user, if any. Usually when a fault occurs in the kernel, the kernel puts some useful information in the kernel ring buffer but it's not for user-space applications.

A coredump is simply just an ELF file with some additional data in it, if you want to parse the ELF format you'll have to look at the specs or maybe use a tool/library.