hoakley October 7, 2023 Macs, Technology

Sonoma’s log gets briefer and more secretive

If you used Macs before Sierra, chances are that you were happy to browse their logs when necessary, for example to check whether your Time Machine backups were working correctly, or quietly throwing errors. At that time, the logs were traditional text-based records like those in other variants of Unix, and browsed using the Console app in /Applications/Utilities.

Browsing your logs using Console is a vital part of diagnosing many problems. — Traditional text logs in OS X 10.10 Yosemite before they changed in Sierra.

I started to become irritated by them as long ago as El Capitan, writing:
“Having excised most of the old dross and accumulated extensions, and running a fairly clean El Capitan system, my All Messages [in Console] clocks up around 4000 messages every 8 or 9 hours. At its worst – straight after the OS X 10.11.5 update, for example – it can fill those 4000 message slots in a minute or two, but even overnight when the system is not asleep it will seldom stretch to much longer than 12 hours. A traditional Unix wizard would have the screaming ab-dabs at this. We used to tweak, tune, and pare down systems until they barely coughed into their logs. It used to be the mark of a well-loved system.”

Little did we realise then that Sierra was going to change all that, and by Mojave we’d be enduring 4,000 and more log entries in a second, when our Macs were feeling loquacious. That was because Apple introduced the Unified log, with its entries written not in plain text but compressed binary format. This was the death-blow for the casual reader of logs: for a start, the replacement Console app was unable to access any log entries made in the past, and its tools were, and remain, woefully inadequate for tackling the increasing torrent of log entries.

Despite its many great strengths, the Unified log has suffered two problems that are limiting its usefulness in Sonoma: its diminishing period of coverage, and censorship.

Period of coverage

Rather than rolling its log files by their age, and keeping the last five days of logs, macOS maintains them by size. Like its predecessors, that means logd, its maintainer, only keeps the last 520 MB or so of regular Persist log entries collected at any time, and purges older entries. Some older log entries are retained, but it’s pot luck as to whether those you’re interested in are among them, and even if they are, other related entries may have been removed already. If you’re interested to see how this works, logd keeps records in the logdata.statistics.[n].txt files in /var/db/diagnostics, but those too are purged so you can only look back a few days.

In the early days of the Unified log, I was amazed to discover that it kept log records for as long as 20 days or more. In Sonoma, my main working Mac is struggling to keep them for as long as 24 hours. There’s no way for the user to increase that period to compensate for the increased rate of writing log entries by macOS. If I don’t catch an event well within 24 hours of it happening, chances are that its log entries will already have been purged when I go to look for them.

Privacy

Censorship to maintain privacy is an important feature in the Unified log, and is responsible for so many of its entries being peppered with <private> instead of revealing potentially sensitive data. The mechanism for this is robust: when collecting entries for the log, sensitive content is excluded, then displayed with that marker. As that sensitive content isn’t stored in the first place, there’s no way to unmask that content once it has been collected and written to the log.

Currently, the only way to see unmasked log entries is through a special profile. Once that has been enabled, and until it’s disabled again, all privacy should be removed from the log, and those <private> markers replaced with real data.

Only Apple has now decided that some log content is too private to reveal even when privacy has been removed. I came across this recently, in multiple log entries, when researching Web Apps, in entries like
ShareKit Start performing service <private> with items: <private> ShareKit filteredItemsFromItems:<private> [-1]--> <private> ShareKit Final shared items for <private>: <private> ShareKit Perform custom action (<private> [<private>]) ShareKit Custom action (<private>) does not support async, running sync block

Of course, it may be possible to turn this additional privacy off, but the documentation leads us once again to a guessing game. Apple documents the Enable-Private-Data profile key here, where it refers to it controlling “private data logging”. But in its account on log privacy settings, Apple refers to two distinct privacy settings that can be applied to the content of log entries: the “standard option” ‘private’, and sensitive, described as “the option to always redact interpolated values that contain sensitive information.” Does this mean that setting Enable-Private-Data to false doesn’t unmask content designated sensitive, only that set as ‘private’?

Like so many great ideas, the Unified log is suffering from profligate overuse. Who really needs to see full dictionary dumps from RunningBoard? Is there no better way to record that information than in the log?

18Comments

Add yours

1

Udo Thiel on October 7, 2023 at 10:08 am

This stuff is getting out of hand. On a single-user machine it is plain useless, and on a multi-user machine, every non-privileged user has to trust admin anyway, there is running and hiding, especially if it is the Bastard Operator from Hell (does anyone remember him?)

At the minimum, Apple should add log customisation functionality to Console.app directly.

BTW, I came across your profile you mentioned only a few weeks ago, and since comments were closed for that article, I couldn’t ask my question, which is: given that I have an Apple developer account myself, how do I create my own profile? Thanks in advance.

LikeLiked by 1 person
- 2
  
  hoakley on October 7, 2023 at 4:45 pm
  
  Although you can write a profile in XML and sign it, the simple way is to use Apple Configurator 2. The process is described in its Help book.
  Howard.
  
  LikeLike
3

SarahB on October 7, 2023 at 12:43 pm

Sorry to hear how things have been going but I felt it in so many other ways that affect me also with each macOS update. Mostly how it keeps putting priority over apple’s services like Apple TV and stuff, but then keeps taking away the functions that were useful for me.

Like for people like me who have their own media, apple keeps taking away things we use in the apps like TV, Music and stuff are so focused on if you use apple’s paid apps like TV+ and Apple Music. Like even in the TV app shows I purchased show up proper, but if I go to my computer on the Apple TV for shows I purchased so often the cover art is missing or broken. Never used to be this way.

I miss how the user had more control on macOS with things. Or just access to things. I know it seems this often helps how the apps you create work. I remember Mike at Bombich software kept getting more frustrated even with each macOS release and changes that made it more difficult to backup.

I even had to remove OCLP from my mac’s that use it since this 1.0.1 release seems bad. All my mac’s using it and running Sonoma were running too hot. So I put them back to the last macOS they can run and now running 20C cooler.

LikeLiked by 2 people
- 4
  
  hoakley on October 7, 2023 at 4:46 pm
  
  I’m sorry to hear that you’ve had problems with the OCLP update. Have you informed the developers?
  Howard.
  
  LikeLike
  - 5
    
    SarahB on October 7, 2023 at 5:07 pm
    
    Maybe was too soon to try it but it was released. Just found 3 different mac’s I was using it with all ran 20C hotter than when on OCLP and Ventura. Also they ran so slowly. Booting took so long. Just felt like it really slowed down those mac’s. 2012/2014 mini’s and 2014 MacBook Air. The mini’s all have 16gb of ram but the air 8gb. Still they ran ok on Ventura.
    
    I kind of prefer to run the OS native though since then I can turn on file vault and SIP and other things which I can’t do on OCLP. Also the Mac runs a lot better even though it’s not on the current OS anymore. I think maybe it’s just time to stop since these are getting too old I guess. Even the new wallpapers would kill the Mac and have the fans on max.
    
    On the air though was terrible, I would click something then a long delay before anything happened. Working on the last Mac now the 2014 mini to put it back on Monterey and no OCLP. Then won’t be using OCLP on any Mac here anymore.
    
    People I told said they were not having these issues but not sure if people use them like I do. It’s ok though. Can’t expect miracles.
    
    LikeLiked by 1 person
6

John Gilbert on October 7, 2023 at 11:16 pm

Some time ago, I got irritated by verbosity and by losing logs. This was even though I don’t use them very often.
So I used sudo log config –mode “persist:off” commands to exclude excess entries clogging up the logs. (I think you taught me how to do that).
And then created a simple launch daemon and script to create daily log archives and keep them for 3 months. I store about 1 GB every day.

LikeLiked by 1 person
- 7
  
  hoakley on October 8, 2023 at 6:34 am
  
  Thank you. Yes, I too have turned off some subsystems from remaining in the Persist logs. It’s reaching the stage where I wonder if I need to turn off most of macOS, though, which defeats the whole point, surely.
  Howard.
  
  LikeLike
8

Thomas on October 8, 2023 at 1:14 am

System logs have become unusable for me. I find it extremely confusing. Recently for example I spent a day trying to find a way to configure the logging system to show syslog debug logging of a process I had no control over in the unified log. Nothing I did to asl.conf seemed to have any effect. I had to give up and debug it some other way… If anyone knows how to do that I would appreciate any suggestions.

LikeLiked by 2 people
- 9
  
  hoakley on October 8, 2023 at 6:38 am
  
  I have dozens of articles here about the unified log, and free log browsers, including Ulbow. Perhaps if you can explain what you were trying to do, I can help.
  Howard.
  
  LikeLike
  - 10
    
    Thomas on October 8, 2023 at 8:23 pm
    
    Thanks for offering to help 🙂 – The problem is not the filtering, the problem is that syslog level >5 is simply not showing up in the logging system anymore. (syslog -s -l 5 test5 does but -l >5 does not). I looked at /etc/asl.conf which seems to be the cause because of the line “? [<= Level notice] store" – however changing this to ?[<=Level debug] has no effect, neither creating things in the asl folder. My question: How can I get syslog -s -l 6 or 7 to show in the logging system? Thanks!
    
    LikeLiked by 1 person
    - 11
      
      hoakley on October 8, 2023 at 8:39 pm
      
      Syslog and asl were replaced in macOS 10.12 by the Unified log. No code should be still trying to write to logs that were superseded in 2016.
      Howard
      
      LikeLike
12

Week 41 – 2023 – This Week In 4n6 on October 8, 2023 at 11:18 am

[…] Howard Oakley at ‘The Eclectic Light Company’Sonoma’s log gets briefer and more secretive […]

LikeLike
13

aONe on October 8, 2023 at 4:57 pm

Thanks for the reading 🙌🏻. I miss the days where I didn’t need to filter the console for it to be useful.

LikeLiked by 1 person
- 14
  
  hoakley on October 8, 2023 at 7:50 pm
  
  Thank you. So do I.
  Howard.
  
  LikeLike
15

Thomas on October 8, 2023 at 9:21 pm

I am not sure I understand…. clearly syslog on notice level and above makes it into the new logging system. I was trying to debug pureFTP (without changing its implementation) and like many unix open source tools it uses syslog. So are you saying there is no way to change the configuration so that other levels show up?

LikeLiked by 2 people
- 16
  
  hoakley on October 8, 2023 at 9:56 pm
  
  I’m sorry: I suggest that you ask someone who maintains such open source tools on macOS. I have absolutely no idea whether syslog still works, or how it does, as I don’t think any apps written for macOS have used it for seven years.
  Howard.
  
  LikeLiked by 1 person
  - 17
    
    Thomas on October 9, 2023 at 1:36 am
    
    Thanks for your clarification – it explains why it seemingly cannot be configured anymore. Unfortunately I think it is unrealistic to expect that developers of more generic unix software that also runs on macOS would rush to implement separate logging for it, which means there is no way to debug those easily on macOS. I find this frustrating in particular as there still seems to be some kind of integration for syslog that is in use today. Wouldn’t it be cool if there would be some kind of switch on a system that once advertised being the best Desktop Unix, to at least temporarily see syslog debug logging. Not sure why all these changes need to be so radical…
    
    LikeLiked by 2 people
    - 18
      
      hoakley on October 9, 2023 at 7:04 pm
      
      I strongly recommend that you discuss this with someone who ports open source apps like these to run on macOS. As I explained, these changes were made to macOS seven (7) years ago, so aren’t in the least bit recent.
      Howard.
      
      LikeLiked by 1 person