Friday Magic: See real log entries

One of the features introduced in the new Unified log back in macOS Sierra was its ability to protect privacy by redacting potentially sensitive contents. Although a good thing, an extraordinary mistake in High Sierra, which revealed an encryption password in plain text, has led to many entries being so heavily redacted that they’re gutted of all meaning by <private>.

Another bone of contention has been the protection provided to key information about network connections. Originally that could be removed by setting the CFNETWORK_DIAGNOSTICS environment in Terminal. Following a vulnerability addressed in Ventura 13.4 that was protected by SIP, raising the barrier for that as well.

This Friday’s magic trick is one of the most complicated I have attempted yet, and is going to show how you can put meaning back into your log and discover where all those network connections are going. Because of the changes necessary, this is easiest to perform in a macOS VM, allowing you to discard the VM when you’re done.

Setting up

You don’t have to use a VM, but if you use a Mac it shouldn’t be your production system, and you’ll need to set it back to its original settings when you’ve finished.

I took a freshly updated VM with macOS Tahoe 26.3, duplicated that in the Finder, and used the duplicate so I could easily trash it.

I then installed the profile I have made available here to remove privacy in the log. Double-click the profile, then confirm in System Settings > General > Device Management that you want to add and enable it. From then until you remove that profile, all redactions in the log should cease.

To disable SIP, I started the VM up in Recovery mode, opened Startup Security Utility and downgraded boot security there. I then opened Terminal and disabled SIP using the command
csrutil disable

If you want to, while you’re in Terminal you can run the command to enable network diagnostics
launchctl setenv CFNETWORK_DIAGNOSTICS 3
noting that, in Recovery, there’s no sudo required or available. If you do this now, it should also apply when you restart.

Once that has been completed, restart back into normal mode and check the profile is still enabled. If you didn’t enable network diagnostics there, open Terminal and enter
sudo launchctl setenv CFNETWORK_DIAGNOSTICS 3

Testing

Ensure the menu bar clock is displaying seconds, and just as it turns those to 00 seconds, run an app like SilentKnight that connects to remote sites. View the log for that period using LogUI (or whatever), and you should see the effects of both privacy removal and network diagnostics. The log is now a very different place, and far more informative.

Results

These are comparable log entries, before and after pulling this trick.

Privacy removal

Normal log entry:
00.541160 com.apple.launchservices Found application <private> to open application <private>

Privacy removed:
00.540882 com.apple.launchservices Found application SilentKnight to open application file:///Applications/SilentKnight.app/
restoring the app name and location that had been redacted to render the log entry meaningless.

Network diagnostics

Normal log entry:
01.240305 com.apple.network [C5 752CDB24-4E91-40B0-A837-9D7B9DE41B9E Hostname#7c4edf26:443 tcp, url hash: b62568a6, tls, definite, attribution: developer, context: com.apple.CFNetwork.NSURLSession.{AA60FF41-BA48-4332-B223-0C76A78CCEA7}{(null)}{Y}{2}{0x0} (private), proc: 9FC457E5-3273-37FA-BAEE-749A710F48E5, delegated upid: 0] start
which obfuscates the URL in a hash of b62568a6.

Network diagnostics:
01.103602 com.apple.network [C1 8BF615A6-CBEF-48D8-BE2F-CEF861B70BEE Hostname#99dda594:443 quic-connection, url: https://raw.githubusercontent.com/hoakleyelc/updates/master/applesilicon.plist, definite, attribution: developer, context: com.apple.CFNetwork.NSURLSession.{58709C77-3924-44EA-8563-4B44F0223AB6}{(null)}{Y}{2}{0x0} (private), proc: 06DF065F-71F6-36D9-BBAE-533B2D327BF4, delegated upid: 0] start
which reveals the full URL of https: // raw.githubusercontent.com/hoakleyelc/updates/master/applesilicon.plist, the property list on my Github containing firmware versions for Apple silicon Macs.

Remember

If you did this on a physical Mac, don’t forget to remove the profile, to enable SIP and return Startup Security Utility to Full Security, which should automatically disable network diagnostics.

1Comment

Add yours

1

Colin on February 13, 2026 at 9:08 am

Nice post. I’m really tempted to do it for real – will have a think on it a bit.

Seems to me that my local log should be open to me on the machine I use. If that is exported, saved, viewed remotely then those are good times to hash data maybe.

And yes, probably never, show crypto keys but it could reference which key file or connection is being secured?

Feels like they find a small not and take big old sledge to mash it.
Or do I miss something about how the log data could be used to my detriment?

For years I had full dtrace access to everything about my system, there was never any sign of a problem. Yes I could see what I was doing, or anyone else on my machine – but it is my machine and that seems fine to me. At the end of the day I am cautious about security, do a fair bit of monitoring, try to understand what is happening and what should not happen.

Like may areas of life, fears about safety and protection chip away at freedom. That is the price we now have to pay with little choice about it.

I would not want some remote action, malware etc coming in running that sort of code and sending out the results. But I’d probably spot it. I’d like to think it would never get a chance but that is what everyone probably thought before IT happened…

LikeLiked by 1 person