magnusviri

macOS system log

These are my macOS system log notes.

/var/log

Before macOS 10.12 the /var/log was useful.

Starting in macOS 10.12 Apple switched to what they call "unified logging". Logs are now stored in tracev3 formatted files located in /var/db/diagnostics. What's left is daily.out, monthly.out, wifi.log, install.log, cups, and a few other things. /var/log/system.log still exists and some things still use it but it's all useless information now.

In fact, since the change to unified logging, no matter how much I study it I've never been able to find any useful log information. But, I'm going to give it one more chance. And this time I'm going to document everything so I don't have to learn it all over again.

sysdiagnose

Still works.

sudo sysdiagnose –f ~/Desktop/

Or press these all at once: Shift + Control + Option + Command + Period .

Screen will flash. Wait 15 seconds - 5 minutes. A Finder window will open at /private/var/tmp. In there is a file named something like "sysdiagnose__macOS__.tar". I just tried it and my file was 390 MB compressed (750 MB uncompressed). It contains a lot of information, including information that might be private. Here's a list of some of the things it contains.

If running from the command line you can specify a specific process and get memory information on the process as well.

Applications

/Applications/Utilities/Console.app is the Apple GUI to view logs (requires an admin password).

There's also /usr/bin/log.

And there's Howard Oakley's applications.

Log Levels

This changes the logging level for the com.krypted subdomain (aka Charles Edge).

log config --mode "level:debug" --subsystem com.krypted

log stream

You have to be an admin user.

To watch the logs as they come in

log stream

You should limit the information with a "predicate" (a search/filter expression).

log stream --predicate 'eventMessage contains "Twitter"'

See below for information about predicates.

log show

To search saved log files

log show

Add --info and/or --debug to get those log levels.

Add --last <time> to display the last specified time (mhd).

Add --style to change how it's displayed.

Examples

log show --predicate 'eventMessage contains "Hello Logs"' --last 3m
log show --style syslog --predicate 'eventMessage contains " "' --info --last 24h
log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d

Predicates

Operators (see this page for more info)

Add [c] to any of these to make them case insensitive, e.g. CONTAINS[c].

Add [d] to make it diacritic insensitive, e.g., CONTAINS[cd] schon will match "Schön", "Bitte schön", and "schönen" but afaik not "schoen".

Links

Published: 2021-12-06, last edited: 2021-12-06

Copyright 2020 James Reynolds