hoakley Macs, Technology

LogLogger3: an improved tool for accessing Sierra’s logs

Having written extolling the virtues of the predicate filters available when reading logs using the command line tool log, I realised that my own GUI front end to that, LogLogger, could be far more helpful to users wanting to employ them. I have therefore enhanced the utility to LogLogger3, available here: loglogger3

If you want to distribute it more widely, please link to this page, with its detailed instructions and explanations. I don’t wish to prevent anyone from making copies available elsewhere, but it does not come with instructions.

It is an unsigned app, which uses Shane Stanley’s neat Dialog Toolkit v2.0.2 (which is included in the bundle, so that you do not have to install that separately). It is unsigned so that you can improve on it, and customise it as you wish – if I had signed it, that should break the signature. But it does mean that when you first run it after downloading, you will have to do so using the Finder’s Open command, or Gatekeeper will prevent it from running.

loglogshot1

When you start it, it presents a simple alert asking you to confirm that you wish to run the script. Obviously, you should click Run.

loglogshot2

You will then be prompted for the name of the text file into which the log excerpts will be written.

loglogger2shot

It is then driven from this single improved dialog.

The first section sets any predicates to be used to filter the entries to be included in its output. If you just want Time Machine entries, leave the button set to that. If you want all log entries (beware: for any length of time the output file will be huge), set it to none.

The other two radio buttons require you to enter predicate information below.

Pattern lets you create one or two filter terms using the popup menus and text boxes below. If you select this, you must configure at least the first Pattern line.

The two lines which start with Pattern: let you build the most popular filter expressions. If you set both, then the Logical operator (by default AND) will be applied to combine them.

The first popup menu in each of the two Pattern lines determines what is examined in the filter. On offer are:

  • eventMessage – for this, you specify a text pattern, or text, within the message, or an activity name.
  • processImagePath – this matches the text pattern in the name of the process which originated the event.
  • senderImagePath – this matches the text pattern in the name of the sender, which might be the name of a library, extension, or executable.
  • subsystem – this matches the subsystem specifier, e.g. com.apple.TimeMachine. Although potentially valuable, subsystems are not yet widely used, and discovering which is which is not easy. Use with caution.

The Operator popup menu in each of the two Pattern lines determines what the filter actually does. Operators available include:

  • == is the equality operator, as in == “com.apple.TimeMachine”
  • != is the inequality operator
  • BEGINSWITH is for text which begins with the quoted text, and is case- and diacritic-sensitive
  • CONTAINS is for text which contains the quoted text, and is case- and diacritic-sensitive
  • CONTAINS[c] is for text which contains the quoted text, and is case-insensitive and diacritic-sensitive
  • ENDSWITH is for text which ends with the quoted text, and is case- and diacritic-sensitive

Logical operators which can be used to combine two filter patterns include:

  • AND which is simple, logical AND – both patterns are true
  • OR is simple, logical OR – either pattern is true
  • AND NOT is logical and, but the second pattern is NOT true
  • OR NOT is logical or, but the second pattern is NOT true.

In the dialog as shown, this is set up to return log entries from the com.apple.TimeMachine subsystem in which the logged event contains the text “backup” in any case variation (case insensitive).

Shortly after I got this debugged, my iMac decided to freeze. Following a forced restart, I ran LogLogger3 to show all the kernel entries from just before the freeze until the current moment. To do that, I set up just the first Pattern line, to read
processImagePath CONTAINS[c] kernel

Note that when you use the log command, you must insert text in quotation marks “”. In the final text boxes for Patterns, do not use quotation marks unless they are part of the search string: LogLogger3 automatically puts the contents of the Text boxes into quotation marks when it builds the command.

This is hard to describe (accurately), but once you have got the hang of it, it is very quick, simple, and powerful to use.

other allows you to enter any other valid predicate which you wish, such as that shown by default in the Other box below: here you need to give the full predicate, including any “” for text, which will simply be placed inside single quotes ” and prefaced by --predicate

The middle section concerns the style and formatting of the output. The standard is to use traditional system log style, similar to the previous Console app. You will probably want that with the trim feature turned on, to make the lines more compact. However, the default style is based on the new logs’ content, which is much more extensive and detailed. You will want to turn trimming off in that case. The final option for JSON format is valuable if you want to read the log output into another app which takes JSON format; don’t use trim with that, or it will become a real mess.

Normally you should include info messages: this does make a difference.

The third section concerns the period of logs to cover. Because of bugs, using start and end times is very unreliable at present, and I therefore only offer the last period of time, which you set here. Units are selected from seconds, minutes, hours, or days, and given as an integer. In the example shown, this means 3 hours.

The final section allows you to add any other text you want to the log show command. If you want to try start and end times, this gives you the scope, but I do not recommend them.

After a few seconds or longer, the requested log excerpt should then be saved into your specified text output file. If you use the standard syslog style with trimming, the first line will normally be junk, thereafter it will look something like
2016-10-12 18:19:34.49 backupd[10374]: (TimeMachine) [com.apple.TimeMachine.TMLogInfo] Starting automatic backup
2016-10-12 18:19:34.77 backupd[10374]: (TimeMachine) [com.apple.TimeMachine.TMLogInfo] Backing up to /dev/disk3s2: /Volumes/PROMISE PEGASUS/Backups.backupdb
2016-10-12 18:19:35.60 UserEventAgent[66]: (TimeMachine) [com.apple.TimeMachine.TMLogError] Failed to send message because the port couldn't be created.
2016-10-12 18:19:37.66 backupd[10374]: (TimeMachine) [com.apple.TimeMachine.TMLogInfo] Will copy (75.4 MB) from Macintosh HD
2016-10-12 18:19:37.67 backupd[10374]: (TimeMachine) [com.apple.TimeMachine.TMLogInfo] Found 573 files (75.4 MB) needing backup
and so on.

I hope that you find this even more useful. If you have any problems, find bugs, or have any suggestions, please add them here as comments (or send them by email to me).