NAME
log — Access system wide log messages created by os_log, os_trace and other logging systems.
DESCRIPTION
log is used to access system wide log messages created by os_log, os_trace and other logging systems. Some commands require root privileges.
Framework
OSLog
A unified logging system for the reading of historical data.
The unified logging system is available in iOS 10.0 and later, macOS 10.12 and later, tvOS 10.0 and later, and watchOS 3.0 and later. This system supersedes the Apple System Logger (ASL) and Syslog APIs.
—– *
Log entries are made at any one of five levels:
Fault – these are always saved to disk, and have additional attached information which can be quite voluminous.
Error – as for Faults.
Default – these are saved to disk, but are normally confined to regular log entries.
Info – these are normally saved to memory, but can be set to go to disk instead, and are regular log entries.
Debug – collection of these has to be specially enabled using the log command.
Examples:
Find events for Twitter:
log stream --predicate 'eventMessage contains "Twitter"'
search for Failed to authenticate user
log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d
compound search example (krypted.com)
log show --style syslog --predicate '(subsystem == "com.apple.bluetooth.WirelessProximity") && (eventMessage CONTAINS[c] "scanning")' --info --last 1h
log show –last 1m command
log – Access system wide log messages created by os_log, os_trace and other logging systems.
log show --style syslog --info --last 1m
This will pipe the last minutes output to desktop
log show --style syslog --info --last 1m >> ~/Desktop/1minutelogs.txt
Listing previous shutdowns
log show --predicate 'eventMessage contains "Previous shutdown cause"' --last 24h
Managed Client Preferences
log show --last 2d --debug --predicate 'subsystem="com.apple.ManagedClient" and process="mdmclient"' >> /Users/Shared/mdmlog.log
log show --predicate 'subsystem="com.apple.ManagedClient"'
Certificate payload messages
log show --predicate 'subsystem="com.apple.ManagedClient library:Certificate"'
Krypteds’ss
Some useful predicates:
subsystem:com.apple.ManagedClient Messages in this category cover a broad range of profile installation messages.
subsystem:com.apple.securityd Interactions with the keychain
category:SCEP.fw SCEP network requests only (no warnings on signature verification etc).
Payload specific combinations:
subsystem:com.apple.ManagedClient library:Certificate Certificate payload messages
Certificates Subsystem
log show --info --debug --predicate '(subsystem == "com.apple.ManagedClient") && (senderImagePath ENDSWITH "Certificate")' --last 1h
Krypted’s list of subsystems
https://gist.github.com/krypted/495e48a995b2c08d25dc4f67358d1983
Copy logs back to local machine or put to remote machine
Use scp-command, it runs on top of SSH. Example:
scp username@remote.host:/path/to/file localfile
It also works another way round
scp localfile username@host:/path/remotefile
Username, path, and filename can be omitted
Links:
https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/
https://krypted.com/mac-os-x/logs-logging-logger-oh/
Predicates provide a general means of specifying queries in Cocoa. The predicate system is capable of handling a large number of domains, including Core Data and Spotlight. This document describes predicates in general, their use, their syntax, and their limitations.
https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html
https://robservatory.com/view-app-specific-log-messages-in-terminal/
https://eclecticlight.co/2016/10/17/log-a-primer-on-predicates/
Great Resource
https://blog.kandji.io/mac-logging-and-the-log-command-a-guide-for-apple-admins
