Apple has not apparently documented this anywhere, but it has changed access to Sierra’s new log with the 10.12.4 update. When logged in as a normal – as opposed to admin – user, the entire contents of the logs are now inaccessible.
Using Apple’s own log browser, Console, shows completely blank logs when running as a normal user. No warning or explanation is given.
log command still shows its usage information, for example with
log show --help, which contains no warning that it is ineffective. However, attempting to use the
log show command simply returns an empty log.
Because of this effect on
log show, Consolation 2 still runs perfectly normally, but all attempts to retrieve previous log entries generate blank results, not errors.
Log entries are still made while running with a normal user account logged in, but
log show, Console, and Consolation are simply unable to find them. Consequently the only way to examine the log for a period logged in as a normal user is to log in as an admin user again and then examine previous log entries, something which Console cannot do unaided, making it even more unfit for purpose.
Once logged back into an admin user account, Consolation and the
log show command work normally again, and provide full access to the logs, including all log entries collected while logged on as a normal user. You can also use the
log command to dump previous log entries in .logarchive form, which you can then, if you really want, open and browse in Console.
Although not common, apps and macOS can have bugs which only appear when running in normal user mode. This change therefore makes it much harder to use Console to examine such bugs, and much harder to investigate problems which are confined to normal user mode.
The reason for this change is also obscure. Entries in Sierra’s new log are already heavily censored to remove personal data, to the point of limiting their usefulness. Apple has not claimed that this change addresses a security vulnerability. As far as any can recall, versions of Sierra prior to 10.12.4 have allowed full access to the logs when logged in as a normal user, as did OS X prior to Sierra. Could this be part of a process of further locking down access when running in normal user mode, perhaps?
Thanks to Dan for commenting on this blog, to draw my attention to this change.