High Sierra brings some changes to the unified log from Sierra 10.12.6, although as far as I can tell at present, these shouldn’t have any great impact on log use or analysis. As I have been unable to find any release note or other information about these from Apple, these may not be the only changes, but are those which I have been able to detect.

HighVolume

The most obvious change is that Apple has added a new folder to the main path to which ‘live’ log files are saved, /var/vb/diagnostics, named HighVolume. This is presumably intended to contain .tracev3 log files written when many messages are being written to the log over a short period of time.

I have not yet found any files in that folder, so I cannot assess that any further. Until I know more, I will omit any files saved to that folder from logarchives made by MakeLogarchive and Woodpile.

log stats

A new verb has been added to the log command, log stats, which provides some options for generating statistical summaries of existing logs. For full details, man log, at which point it’s worth noting that this updated man page still bears the original page date.

The options for log stats allow you to obtain information from either the current live logs (default), or using the --archive archivename option you can obtain them from the logarchive named archivename.

Other general options include:

• --sort events [or] bytes : sorts results by events or by size, the default being size;
• --count linennum [or] all : delivers results for only linenum lines, or all (default);
• --style human [or] json : prints results in human-readable form (default), or in JSON format.

The final options determine which results are provided, of which you can select only one:

• --overview gives an overview for the entire set of logs or logarchive,
• --per-book gives figures for each log book,
• --per-file gives them for each log file,
• --sender sendername gives them for the sender named sendername,
• --process processname gives them for the process named processname,
• --predicate predicatespec gives them selected according to the supplied predicate predicatespec.

By log book Apple is referring to the major types of log, i.e. Persist, Special, and now HighVolume.

I have so far only tried this on a system which has not been collecting normal logd statistical summaries, and the commands take several seconds to complete even with few small log files. Worse, the results appear to be almost entirely spurious.

For example, figures given using the per-file option appear correct for the compressed file size, but the uncompressed sizes, start and end dates given for each file are identical, and appear correct for the whole log, not those individual files.

The figures given for events, activity, log messages, ttl, processes, and senders vary only slightly between each of the files, and cannot be correct: for example, the number of default log messages given for a log file which is 10,451,392 bytes in size when compressed is given as 3,811,510, and that for a log file which is 8,184 bytes when compressed is given as 3,811,710.

For the moment, I would not rely on any of the figures given by log stats until these issues have been addressed, which makes this new verb useless in its present form.

logd logs

Seeing the deficiencies in that Mac’s logd statistical summaries, I was concerned that maybe High Sierra has also stopped logd from producing those invaluable figures.

However, some Macs do appear to write them still, so I suspect this behaviour is dependent not on the version of macOS which is running, but on the model of Mac on which it is running. Statistics are missing from the logd logs on my old MacBook Air, but are still present in those logs written on my much newer iMac17,1.

I also wonder whether the log stats verb would normally extract statistics from the logd logs, just as Woodpile does, and only generates incorrect output when it doesn’t have the benefit of those. I’d be very interested to hear of the experience of others who have used log stats, or who have used Woodpile on High Sierra systems, please.

In summary, then, Apple appears to have made two changes to the unified log in High Sierra. The undocumented HighVolume folder hasn’t been seen to be used yet, and log stats, which is documented in the log man page, appears too flawed to use at present.