hoakley March 19, 2018 Macs, Technology

macOS Unified log: 1 why, what and how

When Apple released macOS Sierra 10.12 in September 2016, it brought one of the most fundamental changes since the first Public Beta of Mac OS X: it replaced classical Unix logs with a new unified log.

In the eighteen months since, we have been slowly coming to terms with that – in the case of many users, learning to live without access to the macOS log. What had been a valuable aid in diagnosing startup, wake from sleep, app crash, and many other problems was effectively now inaccessible. Those logs which previously contained key audit information for system administrators were also largely gone too.

This series of articles is an attempt to give a practical overview of the unified log system in Sierra and High Sierra – information which, by and large, is not available elsewhere.

History and aims

Prior to 2014, logs in OS X had been fairly vanilla Unix-style text files, which were readily accessed using the bundled log browser Console and a range of third-party tools, and contained all the usual entries you’d expect. You could watch the Mac’s startup sequences, kernel extensions load, and everything get to work. Many users used to access their logs to check that Time Machine backups were running correctly, and to trace their problems.

Yosemite and El Capitan brought changes, the most obvious being that the logs were starting to fill up with copious idle chatter from component subsystems in macOS. I complained here that the new messages which were appearing, like
17/05/2016 21:04:40.175 storeassetd[531]: multibyte ASN1 identifiers are not supported.
or
17/05/2016 20:55:15.298 WindowServer[233]: _CGXRemoveWindowFromWindowMovementGroup: window 0x91 is not attached to window 0x92
were making the logs hard to use.

I also complained that in El Capitan there were around 4000 messages appearing in All Messages every 8 or 9 hours. Little did I realise what was just around the corner.

With macOS 10.12 Sierra, in September 2016, Apple replaced that traditional Unix text-based log system with its new unified log. It goals, declared at WWDC in June of that year, were:

a single efficient logging mechanism for user and kernel mode;
to maximise information collection with minimum observer effect;
the compression of log data;
a managed log message lifecycle;
as much logging on as much of the time as possible;
for privacy to be designed into the logging system;
a common system across macOS, iOS, watchOS, tvOS;
all legacy APIs (NSLog, asl_log_message, syslog, etc.) to be redirected into the new unified log;
to emphasise debugging of macOS and apps, not providing any facilities for system administration or audit;
to link to the sysdiagnose tool for gathering information for bug reports etc.

If you’re unsure what that means, in terms of the result, just open Console and let it run for a minute or two, while you get on with your work. Then try browsing the messages that it has captured over that brief period.

Architecture

Compiled code writes a message to the log using the new calls, or a legacy call which is redirected to the new log. This is handled by the logd daemon, which compresses it into a buffer. From there it is either retained in memory if ephemeral, or written out to a file.

There are two main groups of files which store log entries: those kept in /var/db/diagnostics/Persist/ in the form of tracev3 files, containing regular log entries, and those in /var/db/diagnostics/Special/ in tracev3 files, which contain additional shorter-life entries. Some additional Fault and Error log data also appear to be stored in files in /var/db/uuidtext/

.tracev3 files use a compressed binary format which is proprietary to Apple, and undocumented. Apple will not provide direct access to their contents, only through closed-source tools such as the log command tool. Where users want a more portable format, Apple recommends conversion to a .logarchive package. Although Apple has still not documented that, I have discovered all its essential requirements and will describe it in detail later in this series.

Log entries are made at any one of five levels:

Fault – these are always saved to disk, and have additional attached information which can be quite voluminous.
Error – as for Faults.
Default – these are saved to disk, but are normally confined to regular log entries.
Info – these are normally saved to memory, but can be set to go to disk instead, and are regular log entries.
Debug – collection of these has to be specially enabled using the log command.

Privacy features have caused problems from the outset. Although the programmer is supposed to be able to override defaults, static strings are normally passed in full into log entries, but dynamic strings, collections, and objects are by default censored with the text <private>. Bugs in support libraries and the ease of censorship results in many log entries losing all useful content to the dreaded <private>, which in many instances renders log entries information-free.

Not all logs have been bundled into the unified log, though. Among the remaining traditional text-based log files are:

daily.out, monthly.out, wifi.log are still active;
/var/log/install.log still keeps a valuable log of softwareupdate installations;
CUPS still runs its own logs in /var/log/cups;
third-party apps such as Adobe’s still run their own text logs;
system.log still exists, but is now a wasteland visited only by some legacy software, in my case Google Software Update.

Tools

Apple provides two bundled tools for access to the unified log: the GUI app Console, and the log command tool.

Console is a pale shadow of its former self, and is constrained to working with the live log stream from diagnosticd, or on saved logarchive packages. Early releases in Sierra had a lame predicate editor which made it almost impossible to use for any purpose, but this has steadily improved and is now functional in High Sierra.

Console provides no way of examining any log entries which were written before you opened the app, unless you have saved your logs into a logarchive. Even when you do, complete logarchives are so vast that trying to work with them in Console is intensely frustrating and slow. Using Console to examine log entries which occurred during a previous startup, for instance, is so difficult that it is seldom worth attempting.

The log command tool is extremely powerful, and quite complex in use; it is fully documented in its man page, and has improved significantly in High Sierra. Among its highlights are the live streaming of log entries using
log stream
although this is not an ideal place to use complex predicates, despite their value in sampling its firehose of data. The mainstay use to examine log entries is with
log show
and its many options.

I offer a series of free log browsers and other tools which I believe combine the power of the log command with a much more accessible user interface. Recent versions include features not available in Apple’s tools, including regex search, export to CSV format, and highly flexible formatting.

LogLogger was an AppleScript app offered from October 2016 to January 2017, which worked as a basic front-end to the log tool and dumped extracts into text files.

I then developed Consolation, a Swift app which displays its own log extracts. Its first test release was in February 2017, but was constrained to a single window. A much improved version 2.0 followed a month later, and its last full release was in September 2017.

By then, I had started on the even more sophisticated Consolation 3, whose last beta release was in December 2017. The main work remaining to take that to final release is rewriting its lengthy Help book.

During Sierra’s lifetime, Apple changed log access so that standard user accounts cannot obtain any log entries using Console or the log command; these don’t return errors, but no log entries are shown. To work around this for Consolation, I have an app which will launch Consolation with elevated privileges, enabling access to the logs: RunConsolation.

Blowhole is the only command tool that I know of which can write custom messages to the unified log, so provides access from shell scripts, etc.

Woodpile is a browser for the unified log which works quite differently from Consolation, in analysing entries from the top down. It is the only app which accesses the statistics summaries of log files compiled by logd, and uses those to help the user zoom in on short periods of interest in the log. Its first test version was released in October 2017, and the current beta release is 1.0b6 from December 2017.

I have also developed two more specialist tools which rely on the contents of the unified log. DispatchView is intended for the investigation of problems affecting the DAS and CTS dispatching sub-systems, and shows contemporary excerpts for those sub-systems side by side. The Time Machine Mechanic (T2M2) performs analyses on Time Machine log entries to assess their health for users.

Consolation, RunConsolation, Blowhole, Woodpile, DispatchView, T2M2, and RunT2M2 are all available for free download from Downloads above. Each runs on Sierra and High Sierra.

33Comments

Add yours

1

Joss on March 19, 2018 at 7:14 pm

I’m still on El Capitan, so pardon my ignorance, but I assume that if Adobe still uses text log files, we the users can also still create these, e.g. using the logger CLI to write .log files to /Library/Logs (with root processes) or to ~/Library/Logs (e.g. user processes). Right?

LikeLike
- 2
  
  hoakley on March 19, 2018 at 7:21 pm
  
  Nope.
  In Sierra and High Sierra, logger writes to the unified log, in a rather messy and unhelpful way, too.
  Howard.
  
  LikeLike
  - 3
    
    Joss on March 19, 2018 at 7:34 pm
    
    Oh Jeez, this is a catastrophe! So it means I basically have to create a _logger() function in every one of my scripts and run something like this? https://apple.stackexchange.com/a/256777/196293
    
    LikeLike
    - 4
      
      hoakley on March 19, 2018 at 7:37 pm
      
      If you want to write to a file other than the unified log, that is an issue which you have to address.
      Why not write to the unified log? – that’s why it’s there. A better way than logger might be my free blowhole.
      Howard.
      
      LikeLike
  - 5
    
    Joss on June 18, 2018 at 12:38 pm
    
    I’ve just updated to High Sierra, and the logger command to write .log files into Logs directories is still working fine in my shell scripts. Example: touch “$HOME/Library/Logs/local.$USER.test.log” ; logger -i -s -t “Test log with logger” “This is the actual log” 2>> “$HOME/Library/Logs/local.$USER.test.log”
    
    LikeLiked by 1 person
    - 6
      
      hoakley on June 18, 2018 at 1:01 pm
      
      I don’t understand logger, or what is going on there. However, all the information that I can find states that logger output in Sierra and later goes into the unified log and not more traditional text logs. However, if your scripts are still working, I’m happy for you to have found a solution.
      Howard.
      
      LikeLiked by 1 person
  - 7
    
    Joss on June 18, 2018 at 1:12 pm
    
    It’s the -s option, i.e. logger logs to the unified log *and* stderr, and then you use 2>> /path/to/log to print stderr to a file.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on June 18, 2018 at 1:15 pm
      
      Ah.
      Seems a bit of kludge to me, but if it works for you, I’m happy for you. Wouldn’t it just be easier to write a script to write straight into that text log, rather than going via logger?
      Howard.
      
      LikeLiked by 1 person
  - 9
    
    Joss on June 18, 2018 at 1:22 pm
    
    You could probably do that… see the apple.stackexchange link above with an echo function mimicking a log entry, but since the logger command already has all you need, whether you want to log to the unilog or additionally to a file, I don’t see any reason to change it. It would complicate things, I assume, and result in a lot of work changing dozens of shell scripts. 😉 The only problem is that you can’t seem to write a title along with the log entry, so I’ll definitely give your Blowhole tool a try.
    
    LikeLiked by 2 people
10

Joss on March 19, 2018 at 8:31 pm

So what if someone asks: “Hey Joss, send me all of your logs pertaining to process X on day Y and month Z from 10 years ago”?

As for blowhole, I’ll definitely try it out, but it’s probably not a good solution if you distribute shell scripts or workflows for people to use, and they don’t work out of the box, because they still have to install something.

LikeLike
- 11
  
  hoakley on March 19, 2018 at 8:42 pm
  
  You can very easily excerpt your process logs, say on a daily basis, in a script using log show, to pipe them into a separate archive.
  In my experience, macOS Sierra and High Sierra keep full log files for around 20 days, so you could even perhaps archive them every week.
  Please don’t think that I invented the unified log, or am promoting it in any way. That is what Apple has provided in Sierra and High Sierra, whether we like it or not. All I am trying to do is help others solve their problems with the new log. It really isn’t my fault!
  Howard.
  
  LikeLike
  - 12
    
    Joss on March 19, 2018 at 9:46 pm
    
    In that case it would be more prudent to shorten the logging process by one step and log directly to a dedicated file using a “fake logging” echo function. In that regard, does Console still open .log & .crash files etc.? Does it still read log files in the “legacy” locations like ~/Library/Logs? The latter I assume not. The former would be a weird.
    
    LikeLike
    - 13
      
      hoakley on March 19, 2018 at 9:52 pm
      
      Yes, Console still browses all the old locations and displays files in those. However, because they are plain old text, it doesn’t offer predicate filtering etc. with them, only regular text search.
      Howard.
      
      LikeLike
    - 14
      
      hoakley on March 19, 2018 at 9:59 pm
      
      If your scripts run in isolation of macOS, that would work fine.
      One snag – apart from the fact that you will have to do all the work, such as obtaining the datestamp for each entry, etc. – is that it is extremely hard then to correlate your log entries with those in the unified log, e.g. for debugging or trying to diagnose problems. One of the great advantages of a unified log is that everything, but everything, is there in the single log.
      Howard.
      
      LikeLike
  - 15
    
    Joss on March 19, 2018 at 10:31 pm
    
    Definitely. If it’s a script that needs to be read vis-a-vis other events, then I’d surely log to the Unified Log too. But if it’s just a couple of results by background scripts, they needn’t be sent to the UL. Would be overkill. Sure, in the end you wind up with years-old log files at several MB—and loads of APFS copy-on-write defrag too, I assume—, but that would also happen if you export with “log show” from the UL. Maybe not as much defrag, if you do it once per week. So maybe there *is* something to the UL after all. 🙂
    
    LikeLike
    - 16
      
      hoakley on March 19, 2018 at 10:52 pm
      
      That’s not the way that you’d use the unified log.
      What I would do would be to write all log entries to the unified log. You get free datestamping, to the nanosecond, and all the other benefits, including storage. Then I’d have a little daemon that ran once a week or so, calling a log show command which extracted from the unified log only the entries made by your scripts. If you use Blowhole to write the log entries, that log show command is really simple, as all it has to do is extract all those entries from the subsystem co.eclecticlight.blowhole. Just pipe those into a text file for safe keeping beyond the 20 days free storage you get in the unified log.
      Simple, efficient, the best of both worlds, and a minimum of effort on your part.
      Howard.
      
      LikeLike
17

Craig Newell on March 19, 2018 at 10:00 pm

It is possible to capture “” data – you just have to enable the capture with the mostly undocumented “sudo log config –mode “private_data:on””

LikeLike
- 18
  
  hoakley on March 19, 2018 at 10:03 pm
  
  That’s completely undocumented!
  Does that capture all private data then?
  Howard.
  
  LikeLike
- 19
  
  hoakley on March 19, 2018 at 10:20 pm
  
  I’ve just answered my own question, in Sierra 10.12.6 at least: that may allow dynamic strings through, but there’s still an awful lot of <private> censoring, presumably for collections and objects.
  What a shame.
  Howard.
  
  LikeLike
20

Craig on March 19, 2018 at 10:38 pm

It is possible to capture the “” data – you just need to enable the capture of it with the mostly undocumented “sudo log config –mode “private_data:on”“

LikeLike
- 21
  
  hoakley on March 19, 2018 at 10:45 pm
  
  Thanks, Craig – your first comment came through too.
  I checked it after you posted that, thanks, and there are still lots of <private> entries in the eventMessage fields. I can only presume that, like other log features, that doesn’t quite work fully. Does it only affect dynamic strings, perhaps?
  Howard.
  
  LikeLike
22

Reading Material for March 20, 2018 | Steven Engelhardt, CFA, AIF on March 20, 2018 at 5:50 pm

[…] macOS Unified log: 1 why, what and how – The Eclectic Light Company — An overview of Mac OS X’s logging service. Reminds me a little bit of the goals of the Windows Event Viewer and its System and Application logs. […]

LikeLike
23

Week 13 – 2018 – This Week In 4n6 on March 25, 2018 at 1:51 am

[…] macOS Unified log: 1 why, what and how […]

LikeLike
24

Week 12 – 2018 – This Week In 4n6 on March 25, 2018 at 1:58 am

[…] macOS Unified log: 1 why, what and how […]

LikeLike
25

cade on March 27, 2018 at 7:12 pm

Hey Howard! Hope you are well. Thanks again for your great info and utilities, expertise.

I actually tried to use consolation 2.3 as well as console to double check an alert message I got from RansomWhere (Objective-See util) that popped up and alerted on an otf font w/ an xar message alert. I do think it showed a path with the VAR folder.

Alas, I haven’t found yet in the logs but I’m sure I haven’t finessed it correctly, and it was just a quick scan, so I’ll check more closely when I have more time.

However, thought I’d see if you knew of any weird messages/issues about any OTF fonts trying to sent outgoing info and such …I should have gotten a screen grab and next time it does, I will.

Cheers!

LikeLiked by 1 person
- 26
  
  hoakley on March 27, 2018 at 7:16 pm
  
  I haven’t seen that. Have you contacted Patrick Wardle? He will be most interested, and I’m sure very helpful.
  Howard.
  
  LikeLike
27

cade on March 27, 2018 at 8:43 pm

Will do — thanks!

LikeLike
28

laiaiming on May 22, 2018 at 3:11 am

what about the binary log file data struct.

LikeLike
- 29
  
  hoakley on May 22, 2018 at 5:36 am
  
  As I wrote above:
  “.tracev3 files use a compressed binary format which is proprietary to Apple, and undocumented. Apple will not provide direct access to their contents, only through closed-source tools such as the log command tool.”
  Log data are stored in those tracev3 files.
  Howard.
  
  LikeLike
30

Brandon on February 21, 2019 at 2:32 pm

Thoughts on making the sudo log config –mode “private_data:on” command persist after reboot?

LikeLiked by 1 person
- 31
  
  hoakley on February 21, 2019 at 6:46 pm
  
  Thank you.
  No – I draw a blank. The command is undocumented, and there doesn’t appear to be any settings file into which that could go. The unified log works very low down, so that change would need to be made early during startup too.
  Sorry,
  Howard.
  
  LikeLike
32

Jon on March 22, 2019 at 4:25 pm

hey, dowes anyone know a way to delete unified.log? Im having trouble even locating it, even after making hidden files visible!

LikeLiked by 1 person
- 33
  
  hoakley on March 22, 2019 at 4:32 pm
  
  Can I suggest that you really, really don’t want to do this? Clearing the unified log is irreversible and serves no useful purpose: it will immediately start building again.
  If you are absolutely certain, then the only safe way to do this is using the log erase --all command in Terminal. But I repeat that you really, really don’t want to do this.
  Howard.
  
  LikeLike