peeling back the bark

> @chilcote

Legacy

Apple System Logger (asl)Unix (syslog)

Audit logs (BSM)

NOTE: Most system logs have moved to a new logging system. See log(1) for more

information.

> syslog manpage

Unified Logging

Cross-deviceBinary format

Volatile

brevity

vs

verbosityverbosityverbosityverbosityverbosityverbosityverbosity

All you have to do is write one true sentence. Write the truest sentence that you know.

> Ernest Hemingway

"For sale: baby shoes, never worn."

> Ernest Hemingway

"Wait," he said, staring. "You're me.""

> Don't judge; I got free tickets

I've put in so many enigmas and puzzles that it will keep the professors busy for centuries

arguing over what I meant, and that's the only way of insuring one's immortality.

> James Joyce

I have eaten the plums that were in the icebox

> brevity

We few, we happy few, we band of brothers;For he to-day that sheds his blood with me

Shall be my brother; be he ne'er so vile,This day shall gentle his condition

> verbosity

More is better, really

> Apple Technote tn2347

single, efficient, performant API

> Apple Dev Site

Log levels

Types of messagespersistence

Configuration Profiles

Log level: default

Potential FailuresMemory buffer

Data storePurged

Log level: info

Non-essentialMemory buffer

Faults saved to Data StorePurged

Log level: debug

Dev onlyMemory Buffer

Configuration changePurged

Log level: error

Process-level errorsNot buffered

Data StorePurged

Log level: Fault

System-level errorsMulti-process errors

Data StorePurged

Data Store

tracev3 (compressed binary) formatted /var/db/diagnostics

/var/db/uuidtext

Legacy APIsNSLogsyslog

asl_log_message

New APIsos_log

os_log_infoos_log_debugos_log_faultos_log_create

Log FormatTimestamp Thread Type Activity PID 2017-07-14 09:25:00.177592-0700 0bn0X Fault 0x8005428c 343 macadminsd: (PSUMacAdmins) [com.psumac.pay.attention] [ERROR] get off of twitter

Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message

Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message

Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message

Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message

Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message

signal

vs

noise noise noise noise noisenoise noise noise noise noise noise

noise noise noise noise noise noise noisenoise noise noise noise noise noise

noise noise noise noise noise noise noisenoise noise noise noise noise noise

noise noise noise noise noise

$ logusage: log <command>

global options: -?, --help -q, --quiet -v, --verbose

examples: log show log collect log erase --all log help stream

commands: collect, config, erase, show, stream

further help: log help <command>

$ logusage: log <command>

global options: -?, --help -q, --quiet -v, --verbose

examples: log show log collect log erase --all log help stream

commands: collect, config, erase, show, stream

further help: log help <command>

log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'

log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'

log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'

log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'

log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'

log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'

log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'

log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'

log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'

log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default

log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default

log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default

log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m

log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m

log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m

log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 \ --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category

log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category

log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category

log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category

log erase --alllog erase --ttl

log erase --alllog erase --ttl

Consolation

Console.app

INTERMISSION

steagles

> 1943

Writing logs

Writing logs

Logic and branchingUnique and easy to find text patterns

Variable and property valuesWho is being called?

Log a backtrace of your stack!

Writing logs

Don't litter the logsAnnotate high-frequency logs for filtering

Generate context-specific sysdiagnosesSpecify user-concerning issues

> Daniel Jalkut

logger -is -t foo "Hello PSU"log show --predicate \ 'eventMessage contains "Hello PSU"' \ --last 5m

logger -is -t foo "Hello PSU"log show --predicate \ 'eventMessage contains "Hello PSU"' \ --last 5m

>>> from Foundation import NSLog>>> NSLog("Hello PSU")2017-07-08 16:21:53.917 Python[3233:179310] Hello PSU

log stream --predicate 'eventMessage contains "Hello PSU"' --infoFiltering the log data using "eventMessage CONTAINS "Hello PSU""Timestamp Thread Type Activity PID 2017-07-08 16:21:53.917539-0700 0x2bc6e Default 0x0 3233 Python: (libffi.dylib) Hello PSU

log stream --predicate 'eventMessage contains "Hello PSU"' --infoFiltering the log data using "eventMessage CONTAINS "Hello PSU""Timestamp Thread Type Activity PID 2017-07-08 16:21:53.917539-0700 0x2bc6e Default 0x0 3233 Python: (libffi.dylib) Hello PSU

More is better, really

Examples

log show --debug \ --predicate \ 'process == "EmbeddedOSInstallService"'

log stream --info \ --debug \ --predicate \ 'processImagePath contains "cloudconfig"'

log show --predicate \ 'eventMessage contains "Previous shutdown cause"' \ --last 24h

log show --predicate \ 'eventMessage contains "ECDebug"' \ --last 10m

log stream --style syslog \ --process "Imagr" \ --type log

log show \ --predicate 'eventMessage contains "BOOT_TIME"' \ --style json \ --info

log show \ --predicate 'eventMessage contains "System Wake"' \ --style json \ --info

<key>com.apple.SCEP</key><dict> <key>DEFAULT-OPTIONS</key> <dict> <key>Default-Privacy-Setting</key> <string>Public</string> <key>Level</key> <dict> <key>Enable</key> <string>debug</string> <key>Persist</key> <string>debug</string> </dict> </dict></dict>

> Profile Docs

Thank you

> @chilcote

Referenceshttps://developer.apple.com/reference/os/logginghttps://developer.apple.com/videos/play/wwdc2016/721/http://asciiwwdc.com/2016/sessions/721https://developer.apple.com/bug-reporting/profiles-and-logs/?platform=macoshttps://developer.apple.com/library/content/technotes/tn2347/_index.htmlhttps://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.htmlhttps://eclecticlight.co/2016/09/29/welcome-to-macos-sierras-new-console-its-buried-in-terminalhttps://eclecticlight.co/2016/09/23/sierras-console-promising-but-incomplete/https://eclecticlight.co/2016/10/01/using-the-logs-in-sierra-some-practical-tips/http://krypted.com/mac-os-x/log-logs-logger/http://krypted.com/mac-os-x/macos-logging-subsystems-gist/https://gist.github.com/krypted/495e48a995b2c08d25dc4f67358d1983http://www.amsys.co.uk/2017/01/state-of-logging/http://www.modtitan.com/2017/04/finding-shutdown-causes-in-macos.htmlhttps://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logginghttp://blog.eriknicolasgomez.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/https://github.com/grahamgilbert/imagr/wiki/Troubleshootinghttp://bitsplitting.org/2016/10/26/log-littering/https://mosen.github.io/profiledocs/payloads/logging.html