I am delighted to announce that I have successfully reverse-engineered Apple’s logarchive bundle format. As a result, a new version of MakeLogarchive will generate logarchives which can be opened using Consolation, Apple’s Console, and the
log command in Terminal.
This should be of immediate use to anyone wishing to access the new unified log in Sierra and High Sierra, when they do not want to work from the current ‘live’ log, such as in forensic work.
This new version of MakeLogarchive is available here: mla3
and in Downloads above.
However, accessing these potentially huge logs needs care. Even with a small log, it is very easy to try browsing so many entries that your browser is overwhelmed.
There is one important limitation at present. Part of the information written to the logarchive bundle contains the Mach system time (in ticks) at the end of the logs contained in the logarchive. I have not yet discovered how to obtain that information from those logs, so currently MakeLogarchive writes the system time at which the logarchive is generated. This prevents you from using the Period setting in Consolation: you must set the window to be viewed using the Start and End dates and times.
At present, MakeLogarchive does not analyse the logs to tell you which individual tracev3 log files contain entries for which time period. That is clearly something which I need to address in the next version. However, you will probably find it quicker and easier to access individual log files when you can, as they are much smaller in size.
Perhaps the best explanation is a walkthrough using this new version of MakeLogarchive, and the latest beta of Consolation 3 (from Downloads).
1. First make your logarchive bundle
If you’re looking at the log from a tethered iOS or similar device, follow Apple’s instructions for making a logarchive bundle from that device, on your Mac. You then don’t need MakeLogarchive, but can proceed straight to using Consolation to browse those logs.
If you’re trying to examine the logs of another Mac, all you need are the folders containing those log files, from
/var/db/uuidtext. Put those two folders into another folder, then use MakeLogarchive to turn them into a logarchive bundle. Click on the Copy for Consolation button, select the folder containing the
uuidtext folders (which can instead be your own live log, if you select
/var/db on your own Mac). Then save the logarchive using an appropriate name and location. Ensure that it has the
2. Work out which log file to browse
Open the logarchive bundle (Show Package Contents in the Finder), and scroll down to the bottom of its long list of folders. The main log files, with the
.tracev3 extension, are in the
Special folders, and are named in time order. Select the most recent one in the
Persist folder, for example, and note its date and time of creation, and the date and time of modification. Log entries in that file should have been made between those two times. Decide which tracev3 file you’re going to browse, and pick a suitable period within its scope.
3. Open the tracev3 log file in Consolation
Open Consolation 3, and click on the file radio button for its Log source, at the top of the window. Select the tracev3 file which you identified, within the new logarchive.
4. Browse a minute of that log
Set Filter to other text or none, with nothing in the other text box, and your favourite Style such as starters+ (I have modified mine here to give the date as well as time). Set the Period to 0 min, and enter in the Start and End boxes a window of a minute within the period included in that tracev3 file. Before going any further, check that both dates and both times are set correctly, to give a window of around a minute. Then click on the Run command button.
If you see no log entries, check Consolation’s settings, particularly the Start and End settings.
If you get an error alert, this almost certainly means that the logarchive is defective or damaged. If it was made by MakeLogarchive, let me know, please.
You can also (if you must!) browse logarchives made by this new version of MakeLogarchive using Apple’s Console. However, that only appears able to open complete logarchives, and I have not found a way of getting it to open individual tracev3 files.
If you use MakeLogarchive to convert incomplete or damaged log files into a logarchive, you may find the resulting logarchive doesn’t work fully, or at all. I don’t have any bright ideas at the moment as to what you could do to work around this, other than trying the
log command itself. If you’d like assistance, given my newly-acquired understanding of the logarchive format, please contact me.
Please let me know how you get on. My next task with MakeLogarchive is to generate a catalogue of tracev3 files to make them easier to access.