hoakley October 10, 2017 Macs, Technology

Inside the macOS log: logd and the files that it manages

It has been well over a year since Apple told us much about the new unified log which it introduced in Sierra, and continues in High Sierra. At the time, at WWDC in June 2016, it was all rather novel, and didn’t arrive until the release of macOS Sierra the following September (2016).

Inevitably, the focus at WWDC was on explaining to developers how to write to the new log, and precious little was revealed about the log itself. This article is a small step forward in understanding the unified log, which is used in iOS, watchOS, and tvOS too.

Traditional logs, found on most conventional Unix systems, are a bunch of text files stored in several different folders. They’re easy to access, entries are relatively sparse, and they are separated into different voices: printing system errors and other log entries will normally go into one or more print logs, for example. More significant entries may be written into a system or console log, but there is no centralised log in which everything is recorded.

Apple’s grand design eliminates almost all other logs (macOS Server and some services still maintain their own, though), and fills a single unified log with many hundreds or thousands of log entries every minute. As Apple’s team stated in their 2016 presentation “we want as much logging on all the time as possible”. And we’ve got it.

Log folders and files

Log contents are stored as tracev3 files – an undocumented compressed binary format – in /var/db/diagnostics/Persist/ and /var/db/diagnostics/Special/. Other folders in /var/db/diagnostics/ and /var/db/uuidtext/ contain ancillary information for those logs.

/var/db/diagnostics/ consists of:

The folder Persist, which contains the main tracev3 files for the log as saved to disk.
The folder Special, which contains additional tracev3 files holding supplementary log content.
The folder timesync, which contains timesync files numbered in order, extending back to the Sierra upgrade over a year ago. These contain binary data about time synchronisation between log events and the high-resolution Mach system clock.
A series of plain text files named logdata.statistics.0.txt and others in numeric sequence – the log logs.
Other data files such as shutdown.log containing predominantly plain text details of significant log events.
version.plist.

/var/db/uuidtext/ contains a series of folders, named 00 to FF, each containing files named by UUID for specific log events, which extend beyond normal log entries. These include crash events and other items which overflow single line entries in the log. There is another folder named dsc which contains similar files.

Log management

Logs are managed by a background daemon logd, which is undocumented but responsible for compressing and writing log entries, and for maintaining the log files. Periodically it rotates log files, and weeds the entries in those deemed Special until they are eventually reduced to nothing and removed. Another daemon involved is diagnosticd, which can feed a live log stream such as that viewed in Apple’s Console utility, or in the log stream command. Both logd and diagnosticd run as root.

It’s not immediately clear why the log separates entries into Persist and Special log files, as they both contain entries of the same types. However, Special log files are weeded over time to ‘compress’ them, which is one of logd‘s functions. Older Special log files thus get progressively smaller as they age, until they contain almost nothing, and are automatically deleted.

Persist files are kept intact until they reach an age of about twenty days, or more, when they are simply deleted during log file rotation.

Persist log files are named using hexadecimal numbers in sequence, starting from 0000000000000001.tracev3 when that Mac is first started up in Sierra or later, and switching to a new log file when there is around 10.5 MB of data in the current file, although rotation occurs at irregular intervals, so the time periods and sizes vary.

Special log files are named using similar hexadecimal numbers, but appear to reuse recent numbers as well. They vary more widely in period and size, and their coverage may not be continuous.

When you use Console, Consolation or log to view live log entries (streamed live via diagnosticd, or historic entries in the current system log), those shown merge entries from the Persist and Special log files. However, the log command and Consolation also allow you to browse individual log files, in which case only those from the selected log file are shown. To get a full view of log entries for a given period, it would thus be necessary to view both the Persist and Special log files covering that period, when browsing them individually, such as in a logarchive.

Log logs

Of the other files written into the log folders, by far the most interesting and accessible are those named logdata.statistics.0.txt and similar. These are logs of the log files, written by logd as it performs its log file maintenance. They are numbered using the convention for log files, with the newest having the lowest number (0), and the oldest having the highest number.

Entries detail the following types of event:

Memory Rollover – these appear to mark the writing of a log file to disk from entries stored in memory.
File Rotate – rotation of Persist or Special log files to store future log entries in a new file.
UUID and Persist purge records – removal of log or supplementary files, listed by file name.
Special Periodic Compaction – weeding of Special log files to reduce their size, and eventual deletion.
Persist Periodic Compaction – deletion of oldest Persist log files.

Each of these is accompanied by a datestamp for the event, and the total number of log entries affected by that action. Those involving files on disk also report the file name.

Memory Rollover and File Rotate events are accompanied by a statistical summary of entries in that log file, listed by freqency of the process writing each entry. For example:
6796713, 19.2, /System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarAgent
4779552, 13.5, /usr/libexec/trustd
3026552, 8.6, /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking
2289064, 6.5, /usr/sbin/wirelessproxd
2115299, 6.0, /usr/libexec/sandboxd
1938784, 5.5, /usr/libexec/opendirectoryd
1888672, 5.3, /usr/libexec/coreduetd
971480, 2.8, /usr/sbin/securityd
903072, 2.6, /System/Library/CoreServices/powerd.bundle/powerd
845221, 2.4, /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
776128, 2.2, /usr/libexec/DuetHeuristic-BM
745384, 2.1, /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
744848, 2.1, /kernel
668672, 1.9, /Applications/Tweetbot.app/Contents/MacOS/Tweetbot
667664, 1.9, /Applications/Safari.app/Contents/MacOS/Safari
584424, 1.7, /usr/libexec/UserEventAgent
582590, 1.6, /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
523984, 1.5, /System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd
426992, 1.2, /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
396328, 1.1, /usr/libexec/sharingd
The first figure given is the total number of log entries, and the second is the percentage of the total written by that process.

Interestingly, logd itself doesn’t appear to make any entries in the unified log, apart from very rare errors and faults.

Access

In making the tracev3 log file format closed and proprietary, Apple has ensured the entire log system is closed, and dependent on Console and the log command. Where log files need to be moved for access by another system, such as when browsing iOS logs, or performing forensic analysis, Apple advocates use of the logarchive format, which it describes as “portable”. However, Apple hasn’t documented that format either, although it has now been reversed to enable other apps to create valid logarchives and to access individual log files within a logarchive.

While the unified log is potentially a very powerful tool for advanced users, system administrators, developers, and many others, it is now limited in its value by the tools available to access it. As a result, most of those users who used to be familiar with El Capitan’s Console and logs are now unable to get anything useful from Sierra’s unified log, and have abandoned trying to access it. It’s all very well capturing the information, but if you don’t provide good tools to facilitate access and analysis, that information is largely wasted.

Probably the most common use for the unified log now is to generate voluminous sysdiagnose output to send to Apple.

16Comments

Add yours

1

Biff on October 27, 2017 at 9:47 am

FYI, a recent thread on the MacEnterprise listserv has some simple examples of how changes in log management in the last few macOS releases have created challenges for enterprises. The Eclectic Light Company gets a mention. Look for the thread titled “Sierra/High Sierra and syslog best practices” at https://lists.psu.edu/cgi-bin/wa?A1=ind1710D&L=MACENTERPRISE#8

LikeLiked by 1 person
- 2
  
  hoakley on October 27, 2017 at 9:50 am
  
  Thank you.
  Howard
  
  LikeLike
- 3
  
  hoakley on October 27, 2017 at 11:40 am
  
  There’s a very simple answer to the question of diverting or forwarding the unified log in Sierra or High Sierra: AFAIK it cannot be done. It is not part of the design concept, and without building yourself a completely customised version of macOS, probably from the kernel up, there is no support for it.
  A lot of the unified log isn’t even written to disk!
  Howard.
  
  LikeLike
  - 4
    
    Biff on October 27, 2017 at 3:08 pm
    
    Indeed. I confess I have a very hard time adjusting to this kind of an environment, having grown up doing system administration on large commercial Unix systems in the 90s, where logs were fairly straightforward to understand, configure, consolidate, analyze, and control across multiple machines and operating systems. Now, I have a hard time using the logs to troubleshoot simple problems on my personal laptop. (I would have given up completely were it not for the tools you’ve been developing – thank you!)
    
    LikeLiked by 1 person
5

Thomas on February 17, 2019 at 2:41 am

I have Kaspersky Labs Anti virus/ Anti malware installed on my Macbook Pro. It tells me (and blocks) whenever a website or an application has tried to ‘access my webcam’ (take my picture). Well, it also tells me that the internal Systemstats also tries to take my picture every time shortly after startup. I’m not a power user but I do like my privacy, so I first disabled the System Integrity Protection in order to disable the Systemstats mechanism. In completing this latter step my Kaspersky application advised me that Logd has now tried to access my webcam (built-in Mac camera)!! I’m feeling increasingly angry and violated by Apple–not really surprised though…

LikeLiked by 1 person
- 6
  
  hoakley on February 17, 2019 at 8:57 am
  
  Thank you.
  First, I strongly recommend that you uninstall Kaspersky. It is mired in controversy, and I have seen many reports of problems that it can cause.
  Second, if you want an anti-malware product, I’d recommend that you look at Malwarebytes or Sqwarq instead.
  Third, if you want to check what is accessing you mike and camera, trust Objective-See’s Oversight instead. That is reliable and trustworthy.
  Fourth, never disable system services, particularly by disabling SIP. This will cripple your Mac. logd doesn’t access your camera: anything that tells you it does is either warning that you have a malware problem which is pretending to be logd, or it is plain wrong. As logd is protected by SIP, it can only be replaced by malware if SIP is disabled.
  Fifth, you may find that the only way to restore your Mac’s proper function is to re-install macOS. These are important system services which you mustn’t tamper with. As you will see from the article above, if logd isn’t working normally, your log files won’t get maintained properly, and your Mac will eventually grind to a halt.
  Sixth, this isn’t Apple who is ‘violating’ your privacy – it is either malware or bugs in Kaspersky. You need to address both as a matter of urgency.
  I hope that gets your Mac back to normal.
  Howard.
  
  LikeLike
7

Thomas on February 17, 2019 at 4:26 pm

Thanks Howard for the detailed and thoughtful reply. I trust your expertise and will do as you suggest. I’m also going to look into the Kasperskly controversy. Again, thanks.
Tom

LikeLiked by 1 person
8

Quill Studios on April 25, 2019 at 5:06 am

Lately the logd process has been crashing constantly (around once every 10 mins) on my iMac, every time it crashes the computer locks up for about 30 seconds. It’s a huge pain in the a**. Have you ever come across anything like this or have any idea how I might fix it?

LikeLiked by 1 person
- 9
  
  hoakley on April 25, 2019 at 5:28 am
  
  This is the first time that I have ever heard of this problem with logd, which is normally very robust and just gets on with its job.
  First, restart in Recovery mode and open Disk Utility, there running First Aid on your boot disk. Ensure that you have ample free space on it.
  It would be very helpful to know why the crashes are occurring – something you’ll only know from the log, of course. If the error is coming from one of the log files, which it’s trying to maintain, that may give you a solution. In the worst case, you may need to remove all your log files and let the log start afresh.
  The other likely issue is that the logd tool itself has become corrupted, in which case downloading and installing the latest Combo updater is the best solution.
  These are considered in this article.
  I wish you success,
  Howard.
  
  LikeLike
  - 10
    
    Quill Studios on April 25, 2019 at 6:12 am
    
    Thank you Howard! Very helpful response!
    
    Yes I’ve run disk utility several times in regular mode and recovery mode, it finds directory valence errors on all snapshots and doesn’t seem to be able to fix them as they still there every time I run it. It says the errors will go away when the snap shot is deleted.
    
    I’m currently downloading the combo update as I’d read somewhere else that might help fix a corrupted logd process.
    
    The error log reports a bus error, with error code 10. I think this problem may have started after the upgrade to Mojave, I don’t recall experiencing this before that upgrade. My iMac has a fusion drive so maybe the conversion to APFS caused a problem.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on April 25, 2019 at 6:16 am
      
      If the Combo update doesn’t fix this, I’d be inclined to perform a clean install of Mojave, provided that you can be confident with your backups for migration afterwards. I suspect your Fusion Drive didn’t convert perfectly, but hope that I’m wrong.
      I wish you success,
      Howard.
      
      LikeLike
12

Andrew on April 29, 2019 at 1:32 am

Quick update: I removed the local snapshots and Disk Utility now reports no problems with the disk. I ran memtest to see if RAM was an issue, came back fine. I tried the combo update and reinstalling the OS (but not deleting data on the drive), the problem is still occurring. My next step will be entirely wiping the hard disk and reinstalling from scratch, without restoring from backup to avoid reintroducing any possible problems.

I also notice after logo crashes the system.log file says logo is starting in ‘sick mode’, amy idea what that means? The entry text is: logd[855]: Starting in sick mode

LikeLiked by 1 person
- 13
  
  hoakley on April 29, 2019 at 8:27 am
  
  “Sick mode”? That doesn’t sound at all healthy. I’ve never heard of it before. I may just take a wander through logd to see how that arises, a bit later.
  Howard.
  
  LikeLike
- 14
  
  hoakley on April 29, 2019 at 10:15 pm
  
  I’ve taken a look through the current logd tool, and confirm that ‘sick mode’ is one of its startup error modes, although I can’t see what conditions might cause that. I’ve tweeted to see if anyone else knows; searching draws a complete blank – you seem to be the first person to have reported that error in public.
  Hopefully there’ll be some more information from someone who knows what this is all about.
  Howard.
  
  LikeLiked by 1 person
  - 15
    
    Andrew on April 30, 2019 at 12:57 am
    
    Thanks Howard!
    
    Yeh, there’s not much info around on this, I’ve seen one other post on the apple support forums that seem to be exactly this problem, the link is: https://discussions.apple.com/thread/8455365 – that user encountered it on 10.13, the thread petered out before it was resolved unfortunately.
    
    I’m planning on deleting the drive and re-installing the OS today or tomorrow to see if that resolves it. If not I assume it must be come kinda hardware problem that hasn’t been detected by the diagnostics I’ve run.
    
    I’ve also noted the errors stop occurring when the system is asleep, but then restart immediately after waking. They occur like clockwork just over 10 minutes apart.
    
    LikeLiked by 1 person
  - 16
    
    Andrew on May 2, 2019 at 3:30 am
    
    Ok, I erased the drive and did a fresh OS install from recovery mode, it seems to have fixed the problem. I haven’t restored from backup for fear I might reintroduce the problem – I’m just copying across any files I need and installing fresh versions of all the apps I need.
    
    Thanks for your help!
    
    LikeLiked by 1 person

·Comments are closed.

Share this:

Like this:

Related