Which log fields should be accessible in Consolation?

Since its introduction in macOS Sierra 10.12, the unified log has steadily added more log fields.

In Sierra, there are 16:

  1. timestamp, in full e.g. 2017-07-26 20:24:59.326229+0100
  2. machTimestamp, in system ticks, e.g. 608403543041193
  3. messageType, e.g. Default
  4. category, e.g. security_exception
  5. subsystem, e.g. com.apple.securityd
  6. processUniqueID, e.g. 156
  7. threadID, e.g. 868
  8. traceID, e.g. 833721519476834308
  9. senderProgramCounter, e.g. 193733726
  10. processID, e.g. 156
  11. eventMessage, e.g. MacOS error: -67062
  12. processImagePath, e.g. /usr/libexec/taskgated
  13. processImageUUID, e.g. 4F6F0B24-7A18-3AF9-853F-8F72F6C7D7C7
  14. senderImagePath, e.g. /System/Library/Frameworks/Security.framework/Versions/A/Security
  15. senderImageUUID, e.g. 005E8C96-40B6-35E3-B58B-888A5F5957C2
  16. timezoneName, may be blank.

A seventeenth, eventType, can be used in filter predicates but in Sierra doesn’t appear to be available as a field in its own right.

High Sierra added six more, with:

  • 17. eventType, one of signpostEvent, activityCreateEvent, logEvent, or timesyncEvent (others such as traceEvent and activityTransitionEvent may be possible but are very rare)
  • 18. signpostID, e.g. 14608112960288129006
  • 19. activityIdentifier, e.g. 32688
  • 20. parentActivityIdentifier, e.g. 0
  • 21. creatorActivityID, e.g. 0
  • 22. source, e.g. null. The only value I have ever seen for this is null.

Mojave then added another five:

  • 23. signpostName, a string name for a Signpost;
  • 24. signpostType, the Signpost type – begin, end, or event;
  • 25. signpostScope, a scope string, such as ‘process’;
  • 26. formatString, giving the format string used to convert variable content into a string for output, e.g. “vm_page_bootstrap: %d free pages and %d wired pages\n” or “%{public}@”;
  • 27. backtrace, consisting of imageOffset and imageUUID structured into a ‘frame’.

There’s an interesting story behind what may appear a peculiar field to include in a log, formatString. You may recall that one of the many security gaffes which appeared in High Sierra was that, at one stage, FileVault passwords for encrypted external drives were recorded in plain text in the unified log. I understand that this was the result of using the wrong formatting string when writing that log entry, which released data which should have been marked as <private>. So this field was added to ensure that no Apple engineer would use the wrong formatting string in the future. Otherwise, knowing the formatting string used to write that log entry is a fairly purposeless thing to do, and not the sort of content that you’d want to clutter up your log with.

For the last year or so, all versions of my free log browser Consolation 3 have given full access to all those fields except for the last, backtrace. I have so far not included that field, as it doesn’t appear useful to anyone outside Apple, and when present delivers a multi-line string such as
"frames" : [
"imageOffset" : 39623,
"imageUUID" : "100013AE-0443-3CF0-AC17-5D934608B60B"

This would occupy a lot of lines in the log extract.


It’s my current intention for Consolation to continue to not give access to the backtrace field in the log in future. If you want access, please comment here or email me, preferably explaining how you’d like this field formatted so that it doesn’t fill log extracts with multiline entries.

If you have any other requests for future versions of Consolation, this is also a good time to put them. I am working, currently in slow time, on the next generation of log browser which, while retaining all the controls and features of Consolation 3, will have a much cleaner interface and be more accessible as a result.