Reading logs: shutdown and startup

This article and the next explain what you are likely to see in your logs, as shown in Console, when OS X (macOS) 10.11.5 is running fairly normally. They should help you understand how to interpret your logs, and give useful hints and tips for getting the most out of them.

Logs are invaluable for diagnosing most Mac problems, particularly those occurring during startup, waking from sleep, and any type of crash. The main problems in trying to use them now are that they remain fairly cryptic, and contain so much information that finding the wood from the trees is difficult, even when you know what you are looking for. The logs shown here are taken from a vanilla installation of macOS 10.11.5 on a current iMac 27″ (iMac17,1) model. OS X Server is not installed. Yours will of course differ, but probably not by a great deal.

One important note of explanation: some messages contain result codes. The normal convention is that a result or error code of 0 means no error, the process has completed normally. Non-zero codes are normally errors, although you will see examples below where that is not the case.

Shutdown

06/07/2016 16:03:32.068 shutdown[45074]: reboot by hoakley:
This indicates that it is a restart rather than a straight shutdown

06/07/2016 16:03:32.000 kernel[0]: Kext loading now disabled. 06/07/2016 16:03:32.000 kernel[0]: Kext unloading now disabled. 06/07/2016 16:03:32.000 kernel[0]: Kext autounloading now disabled. 06/07/2016 16:03:32.000 kernel[0]: Kernel requests now disabled.
Immediately prior to shutdown, kernel extensions are locked out, and the kernel itself stops responding to requests.

06/07/2016 16:03:32.068 shutdown[45074]: SHUTDOWN_TIME: 1467817412 67719 06/07/2016 16:03:32.068 com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.system) System shutdown initiated by: shutdown.45074
If you want to find all shutdowns and restarts, search for SHUTDOWN_TIME in the top right-hand search box.

Startup

06/07/2016 16:03:47.000 bootlog[0]: BOOT_TIME 1467817427 0
This marks the start of the boot process, and is again useful to search for when you want to locate the last time that your Mac started up. Also useful is the time interval between SHUTDOWN_TIME and BOOT_TIME, which should be around 15 seconds, and no more than 20.

06/07/2016 16:03:49.000 syslogd[60]: Configuration Notice: ASL Module "com.apple.AccountPolicyHelper" claims selected messages.
You may well then see a stream of these messages, which might appear alarming, but are routine.

06/07/2016 16:03:49.000 kernel[0]: Longterm timer threshold: 1000 ms 06/07/2016 16:03:49.000 kernel[0]: PMAP: PCID enabled 06/07/2016 16:03:49.000 kernel[0]: PMAP: Supervisor Mode Execute Protection enabled 06/07/2016 16:03:49.000 kernel[0]: PMAP: Supervisor Mode Access Protection enabled 06/07/2016 16:03:49.000 kernel[0]: Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64
This is the startup of the central part of macOS, the Darwin Kernel, and marks this first phase of startup, which is all about the kernel itself.

06/07/2016 16:03:49.000 kernel[0]: vm_page_bootstrap: 1994658 free pages and 86110 wired pages 06/07/2016 16:03:49.000 kernel[0]: kext submap [0x<ptr> - 0x<ptr>], kernel text [0x<ptr> - 0x<ptr>] 06/07/2016 16:03:49.000 kernel[0]: zone leak detection enabled 06/07/2016 16:03:49.000 kernel[0]: "vm_compressor_mode" is 4 06/07/2016 16:03:49.000 kernel[0]: multiq scheduler config: deep-drain 0, ceiling 47, depth limit 4, band limit 127, sanity check 0 06/07/2016 16:03:49.000 kernel[0]: standard timeslicing quantum is 10000 us 06/07/2016 16:03:49.000 kernel[0]: standard background quantum is 2500 us 06/07/2016 16:03:49.000 kernel[0]: WQ[lt_init]: init linktable with max:262144 elements (8388608 bytes) 06/07/2016 16:03:49.000 kernel[0]: WQ[wqp_init]: init prepost table with max:262144 elements (8388608 bytes) 06/07/2016 16:03:49.000 kernel[0]: mig_table_max_displ = 16 06/07/2016 16:03:49.000 kernel[0]: TSC Deadline Timer supported and enabled 06/07/2016 16:03:49.000 kernel[0]: kdp_core zlib memory 0x7000
This is the basic setup for the kernel, including its memory management and multitasking.

06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=1 LocalApicId=0 Enabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=2 LocalApicId=2 Enabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=3 LocalApicId=4 Enabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=4 LocalApicId=6 Enabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=5 LocalApicId=255 Disabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=6 LocalApicId=255 Disabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=7 LocalApicId=255 Disabled 06/07/2016 16:03:49.000 kernel[0]: AppleACPICPU: ProcessorId=8 LocalApicId=255 Disabled
This is the configuration of the kernel to the available processor cores. This is typical for a 4 core system.

06/07/2016 16:03:49.000 kernel[0]: calling mpo_policy_init for TMSafetyNet 06/07/2016 16:03:49.000 kernel[0]: Security policy loaded: Safety net for Time Machine (TMSafetyNet) 06/07/2016 16:03:49.000 kernel[0]: calling mpo_policy_init for AMFI 06/07/2016 16:03:49.000 kernel[0]: Security policy loaded: Apple Mobile File Integrity (AMFI) 06/07/2016 16:03:49.000 kernel[0]: calling mpo_policy_init for Sandbox 06/07/2016 16:03:49.000 kernel[0]: Security policy loaded: Seatbelt sandbox policy (Sandbox) 06/07/2016 16:03:49.000 kernel[0]: calling mpo_policy_init for Quarantine 06/07/2016 16:03:49.000 kernel[0]: Security policy loaded: Quarantine policy (Quarantine)
This is the loading of security policies, including those for Gatekeeper.

06/07/2016 16:03:49.000 kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993 06/07/2016 16:03:49.000 kernel[0]: The Regents of the University of California. All rights reserved.
This is the startup of macOS or OS X proper: the copyright notice for BSD Unix, which still provides much of its internals. Once this is done, macOS can start loading the earliest of the kernel extensions (kexts). A wide range of messages, warnings, and errors can then occur.

06/07/2016 16:03:49.000 kernel[0]: Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP17@1B/IOPP/SSD0@0/AppleSATAExpress/PRT0@0/IOAHCIDevice@0/AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/IOBlockStorageDriver/APPLE SSD SM0128G Media/IOGUIDPartitionScheme/Diagnostics@2/CoreStoragePhysical/Macintosh HD/Macintosh HD 06/07/2016 16:03:49.000 kernel[0]: BSD root: disk2, major 1, minor 8
This marks the mounting of your startup volume, and its Unix equivalent.

06/07/2016 16:03:49.000 kernel[0]: hfs: mounted Macintosh HD on device root_device
The startup volume is now mounted under the HFS+ file system.

06/07/2016 16:03:49.000 kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-flags /private/var/run/dyld_shared_cache_x86_64h
You may see a long series of warnings like this, which relate to launchd, the service which launches processes and apps, and negotiation of security provisions.

06/07/2016 16:03:48.910 com.apple.xpc.launchd[1]: (com.apple.AirPlayXPCHelper) This service is defined to be constantly running and is inherently inefficient.
launchd has now started launching services, and you may well see several of these warnings. This marks the next phase of startup, in which all the different software services have to be launched and set up.

06/07/2016 16:03:49.089 powerd[73]: Registering for UPS devices 06/07/2016 16:03:49.090 powerd[73]: UPSDeviceAdded. _alreadyRunningIOUPSD:0
Here the powerd service has recognised that they is a UPS connected, and added it to its management.

06/07/2016 16:03:49.000 kernel[0]: **** [IOBluetoothHostControllerUSBTransport][start] -- completed -- result = TRUE -- 0xa000 ****
This is Bluetooth starting up.

06/07/2016 16:03:50.000 kernel[0]: [IGPU] Will fallback to host-side scheduling if graphics firmware fails to load
This marks the addition of GPU support.

06/07/2016 16:03:50.000 kernel[0]: Previous shutdown cause: -128
This tells you why the Mac shut down last time; this was a restart.

06/07/2016 16:03:50.138 WindowServer[227]: Server is starting up
WindowServer, which runs the graphic user interface, is now starting up. This is the next phase of starting up, getting ready to hand over to the user interface.

06/07/2016 16:03:50.422 configd[71]: setting hostname to "Howards-iMac.local"
Bonjour is now configuring.

06/07/2016 16:03:53.000 kernel[0]: Ethernet [AppleBCM5701Ethernet]: Link up on en0, 100-Megabit, Full-duplex, Symmetric flow-control, Debug [796d,0301,0de1,0300,45e1,0000]
The wired Ethernet connection is now active, and configured as shown.

06/07/2016 16:03:57.000 kernel[0]: STEX : setPowerState : 2, (0 = sleep , 1 = pause, 2 = wake) 06/07/2016 16:03:57.000 kernel[0]: STEX : Power on device 06/07/2016 16:03:57.000 kernel[0]: STEX : setPowerState done
Although this may seem late in the day, this is the sleep/wake state being formally set, so that your Mac knows that it is awake.

06/07/2016 16:03:59.467 WindowServer[227]: Display 0x042bd38c: GL mask 0x1; bounds (0, 0)[2560 x 1440], 116 modes available Main, Active, on-line, enabled, built-in, boot, Vendor 610, Model ae07, S/N c5e1524c, Unit 0, Rotation 0 UUID 0x783d14a6f034a29296ad7c3b9f29b192
WindowServer is now configured to the Display settings.

06/07/2016 16:04:00.643 loginwindow[120]: Login Window Started Security Agent 06/07/2016 16:04:00.707 SecurityAgent[284]: This is the first run 06/07/2016 16:04:00.707 SecurityAgent[284]: MacBuddy was run = 0
This marks the start of your user login. Note that MacBuddy is quite normal, and is not some spurious virus protection or malware.

06/07/2016 16:04:12.617 SecurityAgent[284]: Login Window login proceeding 06/07/2016 16:04:12.932 loginwindow[120]: Login Window - Returned from Security Agent
Your login completed successfully. Now user items, from ~/Library, will start loading, marking the last phase of startup.

06/07/2016 16:04:13.000 kernel[0]: Sandbox: CommCenter(335) deny(1) file-read-metadata /private/var/folders
You may well see lots of messages like this.

06/07/2016 16:04:27.205 sntp[259]: time set +1.072565 s
The clock has been corrected.

06/07/2016 16:04:54.000 kernel[0]: Sandbox: coreduetd(92) deny(1) file-read-metadata /
You may see lots of warnings like these from the CoreDuet database.

The next and final article will detail waking from sleep, and a routine Time Machine backup.

2Comments

Add yours

1

Andrea on January 24, 2017 at 5:57 pm

Hi, Just read your article very informative, but looks like Apple Changed everything in Sierra, as I cannot find almost anything of the sample messages you describe. Do you know how the logs can be interpreted in Sierra?

LikeLike
- 2
  
  hoakley on January 24, 2017 at 6:02 pm
  
  Yes it did. A good starting point is https://eclecticlight.co/2016/12/20/a-console-replacement-for-examining-past-logs-in-sierra-loglogger5b-update/ which will give you a tool that you can use, and further instructions. There are several more related articles here, which are listed in the Mac Probs page in the menu at the top.
  Howard.
  
  LikeLike

Share this:

Like this:

Related