log [command [options]]
No option to write an log entry!
A month's worth!: 21,669,996 lines; 4.387,519,011GB
Used to access system wide log messages created by os_log, os_trace and other logging systems.
help [command]
show Entries already written to logs. Use stream to see new entries.
Summary is ONLY output if stdout is NOT piped or redirected! (ie |tail or >out.log)
Not shown if log --style compact .
It IS shown if ^C is pressed while outputing.
--------------------------------------------------------------------------------------------------------------------
Log - Default: 139, Info: 0, Debug: 0, Error: 2, Fault: 0
Activity - Create: 12, Transition: 0, Actions: 0
Warning: even --last 1m (i.e. last minute) can have THOUSANDS of lines.
Even using --predicate "logType == error" --last 1h will have several THOUSANDS of lines of output, many of which
don't seem like errors.
--predicate filter
Filters messages. Compound predicate or multiple predicates can be provided.
--last n[m|i>h|i>d] Display recent events up to the given limit
--start date/time 'Y-M-D H:m:s+zzzz', 'Y-M-D H:m:s', 'Y-M-D', '@unixtime'
--end date/time
--info includes info level messages
--debug use --predicate "logType == error" to see only errors.
--[no-]pager Paginate output using less.
--source Include symbol names and source line numbers for messages
--[no-]backtrace Control whether backtraces are shown
--[no-]loss Control whether message loss events are shown
--[no-]signpost Control whether signposts are shown
--process pid |i> process Filter events using the specified process
--style style default, syslog, json, ndjson, compact
--timezone local |i> tz Use the given timezone when displaying event timestamps
--mach-continuous-time Print mach continuous time timestamps rather than walltime
--color mode Control color output auto|i> always|i> none
archivefile Use system log datastore, archive or a specific tracev3 file.
Default: system datastore .
follow the NSPredicate format see:
developer.apple.com
--predicate fields:
activityIdentifier integer
bootUUID uuid
category string
composedMessage string
continuousNanosecondsSinceBoot integer
creatorActivityIdentifier integer
creatorProcessUniqueIdentifier integer
date date
formatString string
logType log type default, release, info, debug, error, fault
machContinuousTimestamp integer
parentActivityIdentifier integer
process string
processIdentifier integer
processImagePath string
processImageUUID uuid
sender string
senderImageOffset integer
senderImagePath string
senderImageUUID uuid
signpostIdentifier integer
signpostScope signpost scope thread, process, system
signpostType signpost type event, begin, end
size integer
subsystem "string"
threadIdentifier integer
timeToLive integer
traceIdentifier integer
transitionActivityIdentifier integer
type eventType activityCreateEvent, activityTransitionEvent,
userActionEvent, traceEvent, logEvent,
timesyncEvent, signpostEvent, lossEvent, stateEvent
stream Stream activities, as if tail --F
--level default |
info |
debug
--predicate filter Filters messages
--parent pid | process
Any child process of the provided process or pid will stream messages associated with the same activity id.
--process pid | process
can be used multiple times.
--style json |syslog Output the content as
--source Include symbol names and source line numbers for messages>
--timeout time [m|h|d]
Timeout after a specified time, Default seconds.
Example: --timeout 5m, --timeout 1h
--type activity |
log |
trace
Default all types
collect [path]
root required viewed later with log or Console.
--output path Default .logarchive current directory.
--start date/time Limits capture from date/ time to now.
YYYY-MM-DD[ HH:MM:SS.
--size n [k|m]
Example: "--size 100k" or "--size 20m"
config Config commands can act system-wide or on a subsystem.
Deafult, system-wide , If subsystem is specified, category is optional.
--subsystem name Set or get mode for a specified subsystem.
N.B. Specifying an unknown subsystem does not generate an error!
--category name Set or get mode for a specified category. If category is supplied, subsystem is required.
--process pid|name Set mode for a specified pid.
--mode key:value enables mode.
level: off | default | info | debug
The level is a hierarchy, e.g. debug implies debug, info, and default.
off can only be used with a process.
persist: off | default | info | debug}
stream: live | default
log config --mode "level:default" sets the system level .
--reset
--status If reset or status is not specified, a change to the configuration is assumed.
Example: sudo log config --status
System mode = INFO
--subsystem subsys resets subsystem to default settings. "log config
erase Default: main log datastore will be deleted.
--all
--ttl data marked with a time-to-livesudo log erase --ttl
Deleted selected logs
Predicate-based Filtering
The filter argument defines one or more pattern clauses .
Use ' around the entire predicate and " around strings.
Operators
< , <= , == , != , <> , > , >=
and, && , or, || , not, ! , ( , )
Functions
LIKE , MATCHES
- BEGINSWITH
, CONTAINS "pattern" ,
BETWEEN{ low , high } (inclusive) , ENDSWITH
Aggregate Operations
ANY , ALL , SOME , NONE , IN { v1 , v2 [, … ]}
Arrays
array[i] , array[ FIRST ] , array[ LAST ] , array[ SIZE ]
Literals
n , xHH ,
"ssttrriiinngg" ,
nil
More at
developer.apple.com/library
Keys include:
eventType logEvent, traceEvent, activityCreateEvent, or activityTransitionEvent.
eventMessage pattern
messageType "default" , "info" , "debug" , etc.
processImagePath pattern within the name of the process that originated the event.
senderImagePath pattern within the name of the sender that originated the event. specific library, framework,
kext, or any valid mach-o binary that is executed.
subsystem pattern within the subsystem of the event. Only with os_log(3) APIs.
category pattern within the cateogry of the event. Only with os_log(3) APIs.
subsystem is required
FILTERING EXAMPLES
Show time machine activitylog show --predicate 'subsystem == "com.apple.TimeMachine"' --info
Filter for specific subsystem:
log show --predicate 'subsystem == "com.example.my_subsystem"'
Filter for specific subsystem and category:
log show --predicate '(subsystem == "com.example.my_subsystem") && (category == "desired_category")'
Filter for specific subsystem and categories:
log show --predicate '(subsystem == "com.example.my_subsystem") && (category IN { "category1", "category2" })'
Filter for a specific subsystem and sender(s):
log show --predicate '(subsystem == "com.example.my_subsystem") && ((senderImagePath ENDSWITH "mybinary") || (senderImagePath ENDSWITH "myframework"))'
PREDICATE-BASED FILTERING EXAMPLES WITH LOG LINE
log show system_logs.logarchive --predicate 'subsystem == "com.example.subsystem" and category contains "CHECK"'
Timestamp Thread Type Activity PID
2016-06-13 11:46:37.248693-0700 0x7c393 Default 0x0 10371 timestamp: [com.example.subsystem.CHECKTIME] Time is 06/13/2016 11:46:37
log show --predicate 'processImagePath endswith "hidd" and senderImagePath contains[cd] "IOKit"' --info
Timestamp Thread Type Activity PID
2016-06-10 13:54:34.593220-0700 0x250 Info 0x0 113 hidd: (IOKit) [com.apple.iohid.default] Loaded 6 HID plugins
ENVIRONMENT
OS_ACTIVITY_MODE info Enables info level messages. Does not override logging Preferences that have info level disabled.
debug Enables debug level messages which includes info level messages. Does not override logging
Preferences that have info level or debug level disabled.
OS_ACTIVITY_STREAM Change the type of streaming enabled.
live Live streaming from the process using IPC.
OS_ACTIVITY_PROPAGATE_MODE If set, will propagate the mode settings via activities.
Files
The logging system stores content
in /var/db/diagnostics and references content in /var/db/uuidtext.
Seem to be cut up in 10MB chunks
Kept for like 10 Days
/var/db/diagnostics >lt
68 Jul 9 13:35 HighVolume/
102 Jul 9 13:37 timesync/
1,094,285 Aug 25 18:49 logdata.statistics.1.txt
484 Sep 17 11:27 version.plist
71,954 Sep 17 21:02 shutdown.log
986 07:30 Persist/
59,3279 15:48 logdata.statistics.0.txt
4386 15:48 Special/
db/diagnostics >du
0 ./HighVolume
68 ./timesync
46,788 ./Special
244,640 ./Persist
293,224 .
log show|more
Timestamp Thread Type Activity PID TTL
2020-10-03 16:51:08.068420-0400 0x0 Timesync 0 0 0 === log class: TTL more than 14 days begins
2020-10-21 13:36:47.000000-0400 0x0 Timesync 0 0 0 === system boot: 7A33DF77-738A-4200-8B2B-E1ABD6287638
2020-10-21 13:37:05.289824-0400 0x2e8 Default 0 204 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] Bluetooth preference version 6
2020-10-21 13:37:05.370248-0400 0x3b0 Default 0 209 3 AirPlayXPCHelper: (BluetoothAudio) [com.apple.bluetooth:BTFigE] Add Listeners
2020-10-21 13:37:05.370275-0400 0x3b0 Default 0 209 3 AirPlayXPCHelper: (BluetoothAudio) [com.apple.bluetooth:BTFigE] Created BluetoothEndpointManager 0x7f89a970ecd0 with TargetUserSession: 1
2020-10-21 13:37:05.492914-0400 0x2e8 Error 0 204 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] [DaemonWritePersistentPort] CFRunLoopAddSource 0x7fa0d0c0e660, 2503.
2020-10-21 13:37:05.492932-0400 0x2e8 Default 0 204 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] [serialManagerShowsUp] notification 2503.
2020-10-21 13:37:05.493050-0400 0x2e8 Error 0 204 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] [DaemonWritePersistentPort] CFRunLoopAddSource 0x7fa0d0c0ecb0, 1f03.
log show --predicate 'subsystem == "com.apple.TimeMachine"' --info |more
Filtering the log data using "subsystem == "com.apple.TimeMachine""
Skipping debug messages, pass --debug to include.
Timestamp Thread Type Activity PID TTL
2020-10-28 17:05:00.493243-0400 0x2fd2cd Error 0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:General]
Failed to determine if '/Volumes/Recovery' is a recovery volume,
error: Disk object invalid or unable to serialize
2020-10-28 17:20:02.010723-0400 0x2fea3c Info 0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] TMPowerState: 2
2020-10-28 17:20:32.075356-0400 0x2fd351 Info 0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] TMPowerState: 2
2020-10-28 17:20:32.075569-0400 0x2fd351 Info 0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:General] Not starting scheduled Time Machine backup: No destinations resolvable
2020-10-28 17:40:19.949301-0400 0x2fd351 Info 0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] Thermal pressure level 0 -> 1
2020-10-28 17:40:23.031879-0400 0x2fd351 Info 0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] Thermal pressure level 1 -> 0
log show --predicate 'subsystem == "com.apple.TimeMachine" and logType == error' |cut -f2- -d' ' #looses color
Filtering the log data using "subsystem == "com.apple.TimeMachine" AND logType == 16"
Skipping info and debug messages, pass --info and/or --debug to include.
Thread Type Activity PID TTL
17:05:00.493243-0400 0x2fd2cd Error 0x0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:General]
Failed to determine if '/Volumes/Recovery' is a recovery volume, error: Disk object invalid or unable to serialize
17:54:23.341916-0400 0x1601 Error 0x0 269 0 backupd-helper: (TimeMachine) [com.apple.TimeMachine:General]
Failed to determine if '/Volumes/Install macOS Big Sur Beta' is a recovery volume, error: Disk object invalid or unable to serialize
18:41:28.459335-0400 0x2743 Error 0x0 855 0 NotificationCenter: (TimeMachine) [com.apple.TimeMachine:General]
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
19:13:49.526599-0400 0x7275 Error 0x13eef 163 0 tccd: (TimeMachine) [com.apple.TimeMachine:General]
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
08:19:18.458021-0400 0xfe3 Error 0x0 436 0 NotificationCenter: (TimeMachine) [com.apple.TimeMachine:General]
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
08:22:55.043915-0400 0xf1e Error 0x0 426 0 NotificationCenter: (TimeMachine) [com.apple.TimeMachine:General]
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
11:55:05.138392-0400 0x19bfb Error 0x2cf82 162 0 tccd: (TimeMachine) [com.apple.TimeMachine:General]
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
12:01:39.521564-0400 0x1d01d Error 0x0 322 0 backupd: (TimeMachine) [com.apple.TimeMachine:General]
Failed to wait for snapshot deletion to complete on disk '/private/tmp/msu-target-5r1kRpjo', error:
Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"
log stats --overview
== archive =============================================================
size: 307,436,992 bytes
882,020,014 bytes (uncompressed)
start: Sat Oct 9 22:09:01 2021
end: Sun Oct 31 16:40:09 2021
statedump: 2,251
events: [ total log trace signpost loss ]
[ 9,734,809 8,009,566 0 1,266,691 39 ]
activity: [ create transition action ]
[ 455,330 0 24 ]
log messages: [ default info debug error fault ]
[ 7,725,335 347,558 313,120 700,023 190,221 ]
ttl: [ 1day 3days 7days 14days 30days ]
[ 6,144 735,670 180,725 518,732 1,556,428 ]
processes:
[ events (%total), decomp. bytes (%total), image UUID, image ]
[ 1,038,095 ( 10.7%), 110,196,764 ( 12.5%), E9A7969A-1A79-3674-ABD0-32D503BE70B3, com.apple.WebKit.Networking ]
[ 672,026 ( 6.9%), 55,782,817 ( 6.3%), 2BEFD20C-18EC-3838-814F-2B4E5AF3BCEC, WindowServer ]
[ 539,242 ( 5.5%), 47,070,593 ( 5.3%), BDD45120-944C-3B7E-BD25-48BE22D4D767, mediaanalysisd ]
[ 509,040 ( 5.2%), 45,799,890 ( 5.2%), EC80AF54-5BB2-3DD6-BCC3-CEB4DBE5A7CB, WindowServer ]
[ 371,250 ( 3.8%), 40,198,024 ( 4.6%), ABBCB13A-47FE-3555-999E-A025D0803E43, sharingd ]
senders:
[ events (%total), decomp. bytes (%total), image UUID, image ]
[ 643,837 ( 6.6%), 52,124,407 ( 5.9%), 169074B6-3D62-3596-B02C-C4BBF0196BDE, SkyLight ]
[ 601,589 ( 6.2%), 49,713,604 ( 5.6%), 2D5149CC-D49C-3074-8A3E-ED6C58BEDE74, WebKit ]
[ 449,923 ( 4.6%), 45,187,045 ( 5.1%), 1DF31EAA-4538-356F-BC9D-D49F6B03671D, PhotoLibraryServicesCore ]
[ 497,546 ( 5.1%), 44,554,995 ( 5.1%), 89EF7F87-566F-39F3-A126-451D13176BC4, SkyLight ]
[ 345,899 ( 3.6%), 37,345,967 ( 4.2%), 45D8010D-AAE6-3A01-B36A-E81B5820B20D, CoreUtils ]
SEE
os_log(3), os_trace(3)
Darwin May 10, 2016