High Sierra brings some changes to the unified log from Sierra 10.12.6, although as far as I can tell at present, these shouldn’t have any great impact on log use or analysis. As I have been unable to find any release note or other information about these from Apple, these may not be the only changes, but are those which I have been able to detect.
The most obvious change is that Apple has added a new folder to the main path to which ‘live’ log files are saved, /var/vb/diagnostics, named HighVolume. This is presumably intended to contain .tracev3 log files written when many messages are being written to the log over a short period of time.
I have not yet found any files in that folder, so I cannot assess that any further. Until I know more, I will omit any files saved to that folder from logarchives made by MakeLogarchive and Woodpile.
A new verb has been added to the
log stats, which provides some options for generating statistical summaries of existing logs. For full details,
man log, at which point it’s worth noting that this updated
man page still bears the original page date.
The options for
log stats allow you to obtain information from either the current live logs (default), or using the
--archive archivename option you can obtain them from the logarchive named archivename.
Other general options include:
bytes: sorts results by events or by size, the default being size;
all: delivers results for only linenum lines, or all (default);
json: prints results in human-readable form (default), or in JSON format.
The final options determine which results are provided, of which you can select only one:
--overviewgives an overview for the entire set of logs or logarchive,
--per-bookgives figures for each log book,
--per-filegives them for each log file,
--sender sendernamegives them for the sender named sendername,
--process processnamegives them for the process named processname,
--predicate predicatespecgives them selected according to the supplied predicate predicatespec.
book Apple is referring to the major types of log, i.e. Persist, Special, and now HighVolume.
I have so far only tried this on a system which has not been collecting normal
logd statistical summaries, and the commands take several seconds to complete even with few small log files. Worse, the results appear to be almost entirely spurious.
For example, figures given using the per-file option appear correct for the compressed file size, but the uncompressed sizes, start and end dates given for each file are identical, and appear correct for the whole log, not those individual files.
The figures given for events, activity, log messages, ttl, processes, and senders vary only slightly between each of the files, and cannot be correct: for example, the number of default log messages given for a log file which is 10,451,392 bytes in size when compressed is given as 3,811,510, and that for a log file which is 8,184 bytes when compressed is given as 3,811,710.
For the moment, I would not rely on any of the figures given by
log stats until these issues have been addressed, which makes this new verb useless in its present form.
Seeing the deficiencies in that Mac’s
logd statistical summaries, I was concerned that maybe High Sierra has also stopped
logd from producing those invaluable figures.
However, some Macs do appear to write them still, so I suspect this behaviour is dependent not on the version of macOS which is running, but on the model of Mac on which it is running. Statistics are missing from the
logd logs on my old MacBook Air, but are still present in those logs written on my much newer iMac17,1.
I also wonder whether the
log stats verb would normally extract statistics from the
logd logs, just as Woodpile does, and only generates incorrect output when it doesn’t have the benefit of those. I’d be very interested to hear of the experience of others who have used
log stats, or who have used Woodpile on High Sierra systems, please.
In summary, then, Apple appears to have made two changes to the unified log in High Sierra. The undocumented HighVolume folder hasn’t been seen to be used yet, and
log stats, which is documented in the
log man page, appears too flawed to use at present.