Log Literacy: How to make and use logarchives

Most of the time, when you want to browse the log using my free Ulbow, you’re happy to do so on the live log on the same Mac. There are occasions when you can’t or don’t want to, including when you want to

browse the log obtained from another Mac or device, typically in a sysdiagnose;
browse the log in a sysdiagnose you’ve already made, perhaps to send to Apple;
preserve the whole of a period of the log for further analysis.

For this purpose, my preferred way of obtaining a sysdiagnose is with the command
sudo sysdiagnose -f ~/Documents
to save that to my Documents folder. Unarchive that, and locate the logarchive within it.

Unless you’ve already got a sysdiagnose, you’ll first need to create a logarchive on the Mac you want to analyse. There are two ways to do that in Ulbow: using a browser window and the Write logarchive… command, or the Logarchive Tool window. The latter offers greater flexibility, and is described in detail in Ulbow’s Help book. Here I’ll show you the quicker menu command.

With a window already open in Ulbow, the first task is to set the time period to be included in the logarchive. This is the time before the present over which the log will be collected; you can’t specify a period ending in the past, though. Set this is the window’s Period, where -1 hour as set below will capture all log entries made in the last hour.

Then use the File/Write logarchive… menu command to save it. You’ll be prompted where to save it first: ensure this is somewhere on your current boot disk, such as ~/Documents, as macOS will refuse to create a logarchive on what it considers to be external storage.

You’ll then be prompted to enter your admin password, as the command to write a logarchive has to be sudoed. Note this dialog displays the Ulbow app icon in miniature on a padlock icon, and has the wording shown here. There will then be a short pause as macOS gathers together all the files needed to create your logarchive, and writes them out to disk.

For longer time periods, logarchives can grow into GB, and here for a mere hour totals over 300 MB.

Now, with the same Ulbow window open, use the File/Open logarchive… menu command to browse the contents of the logarchive you just created. When you select it, you’ll see it consists of a warren of folders; if you want, you can open individual log files within it, but here we’ll open the whole logarchive to browse anywhere within its contents.

Click on the Open button and you’ll then be able to browse any time period within that logarchive.

Note the red book emoji next to the Get Log button, which indicates that this window is browsing a saved logarchive, and not that Mac’s live log. All times set in the browser window must be within the timeframe of the logarchive, or you won’t see any entries. You can open more windows too, in each using the Open logarchive… menu command to set the source of its log entries.

Once you’ve got a logarchive, you can analyse it using other log browsers, even Console if you prefer, and my own Consolation 3. This is also the only straightforward way to browse logs captured in sysdiagnoses from devices such as iPhones and iPads, or those sent to you by clients or customers.

Happy browsing!

4Comments

Add yours

1

Ryan on August 16, 2023 at 5:32 pm

This is not the best place for my comment. I’m posting it here, because the comments for articles with a better fit are already closed. I hope that’s okay.

macOS keeps permanent records of some of the usage of the system through its logs. One example of that is the file ~/Library/Logs/fsck_hfs.log. It contains a list of every dmg file that a user has opened since the installation. I’m aware that this is not a privacy concern, but I don’t really like it.

Since I have no usage for the logs anyway, I’m thinking about deleting all logs except the unified logs periodically. (As far as I can tell, macOS keeps the unified logs only for a couple of hours or so.)

By “all logs” I mean everything in the following folders:
– /private/var/log
– /Library/Logs
– ~/Library/Logs
– /Library/Application Support/CrashReporter
– ~/Library/Application Support/CrashReporter

After reading pretty much everything that I’ve found online about this topic, I think it should be save to delete these logs. It seems that logs work like black boxes. The different system components and apps create logs or append data to existing logs, but they *never* read this data. If a certain log file is missing, the related process or app just creates a new one.

The only warning that I’ve found is not to delete some of the folders inside the log folders (/private/var/log/apache2, for example) because this might impair the logging functionality of some processes or apps.

Before I delete the logs on my system, I would be glad to get some feedback on this topic. Can I safely delete the logs, is there maybe even a Terminal command for this (analogous to “sudo log erase -all” for the unified logs), or should I be very careful with deleting logs?

LikeLiked by 1 person
- 2
  
  hoakley on August 16, 2023 at 6:58 pm
  
  I don’t know of any problems you’d encounter if you periodically deleted those saved log files. But you shouldn’t delete their folders, just the log files themselves. Once macOS used to do this sort of task in its routine housekeeping, but that seems to have become less frequent. I’m afraid you’ll need to come up with your own shell script or similar to do this.
  “macOS keeps the unified logs only for a couple of hours or so”
  No – it keeps the unified log down to a maximum size. Depending on the rate at which new entries are made, that could be from a day or so to a week or more; in the past it could be as long as 20 days. It doesn’t thin those logs on time so much as their total size. However, entries in the unified log are carefully censored to maintain privacy, often to the point where entries lack any useful information at all, and just contain <private> instead of info!
  Howard.
  
  LikeLike
  - 3
    
    Ryan on August 16, 2023 at 9:12 pm
    
    Thank you for clarifying this!
    
    There are 2 files, /private/var/log/SleepWakeStacks.bin & /private/var/log/displaypolicy/iogdiagnose-last.bin, that look different. Are these logs too?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on August 16, 2023 at 10:01 pm
      
      I don’t know. They’re not executables, but look like MacBinary archives. I’m sure that macOS can regenerate what it needs – I don’t have the first of those here anyway.
      Howard.
      
      LikeLike

Share this:

Related