log

Access system wide log messages created by os_log, os_trace and other logging systems.


     log [command [options]]

     log help [command]


     log show [archive | file] 

                    [--predicate filter] [--source] 

                    [--style json | syslog] [--start date/time] [--end date/time] [--info]

     log collect [--output path] [--start date/time] [--size num [k|m]]


     log config [--reset | --status] [--mode mode(s)] [--subsystem name [--category name]] [--process pid]


         [--debug] [--last n [s|m|h|d]]


     log stream [--level default | info | debug] [--parent pid | process] [--process pid | process] [--predicate filter] [--source]
         [--style json | syslog] [--timeout time [m|h|d]] [--type activity | log | trace]


     log erase [--all] [--ttl] [--faulterror]

A month's worth!: 21,669,996 lines; 4.387,519,011GB

Used to access system wide log messages created by os_log, os_trace and other logging systems.

help [command]

show

Entries already written to logs. Use stream to see new entries.

Summary is ONLY output if stdout is NOT piped or redirected! (ie |tail or >out.log)
Not shown if log --style compact .
It IS shown if ^C is pressed while outputing.

--------------------------------------------------------------------------------------------------------------------
Log      - Default:        139, Info:                0, Debug:             0, Error:          2, Fault:          0
Activity - Create:          12, Transition:          0, Actions:           0

Warning: even --last 1m (i.e. last minute) can have THOUSANDS of lines.

Even using --predicate "logType == error" --last 1h will have several THOUSANDS of lines of output, many of which don't seem like errors.

`--predicate filter`	Filters messages. Compound predicate or multiple predicates can be provided.
`--last n[m\|h\|d]`	Display recent events up to the given limit
`--start date/time`	'Y-M-D H:m:s+zzzz', 'Y-M-D H:m:s', 'Y-M-D', '@unixtime'
`--end date/time`
`--info`	includes info level messages
`--debug`	use `--predicate "logType == error"` to see only errors.
`--[no-]pager`	Paginate output using less.
`--source`	Include symbol names and source line numbers for messages
`--[no-]backtrace`	Control whether backtraces are shown
`--[no-]loss`	Control whether message loss events are shown
`--[no-]signpost`	Control whether signposts are shown
`--process pid \| process`	Filter events using the specified process
`--style style`	`default, syslog, json, ndjson, compact`
`--timezone local \| tz`	Use the given timezone when displaying event timestamps
`--mach-continuous-time`	Print mach continuous time timestamps rather than walltime
`--color mode`	Control color output `auto\| always\| none`
`archivefile`	Use system log datastore, archive or a specific tracev3 file. Default: system datastore .
follow the NSPredicate format see: developer.apple.com --predicate fields: activityIdentifier integer bootUUID uuid category string composedMessage string continuousNanosecondsSinceBoot integer creatorActivityIdentifier integer creatorProcessUniqueIdentifier integer date date formatString string logType log type default, release, info, debug, error, fault machContinuousTimestamp integer parentActivityIdentifier integer process string processIdentifier integer processImagePath string processImageUUID uuid sender string senderImageOffset integer senderImagePath string senderImageUUID uuid signpostIdentifier integer signpostScope signpost scope thread, process, system signpostType signpost type event, begin, end size integer subsystem "string" threadIdentifier integer timeToLive integer traceIdentifier integer transitionActivityIdentifier integer type eventType activityCreateEvent, activityTransitionEvent, userActionEvent, traceEvent, logEvent, timesyncEvent, signpostEvent, lossEvent, stateEvent

stream

Stream activities, as if tail --F

`--level default \| info \| debug`
`--predicate filter`	Filters messages
`--parent pid \| process`	Any child process of the provided process or pid will stream messages associated with the same activity id.
`--process pid \| process`	can be used multiple times.
`--style json \|syslog`	Output the content as
`--source`	Include symbol names and source line numbers for messages>
`--timeout time [m\|h\|d]`	Timeout after a specified time, Default seconds. Example: `--timeout 5m`, `--timeout 1h`
`--type activity \| log \| trace`	Default all types

collect [path] root required

viewed later with log or Console.

`--output path`	Default `.logarchive` current directory.
`--start date/time`	Limits capture from `date/ time` to now. `YYYY-MM-DD[ HH:MM:SS`.
`--size n [k\|m]`	Example: "--size 100k" or "--size 20m"

config

Config commands can act system-wide or on a subsystem.
Deafult, system-wide , If subsystem is specified, category is optional.

--subsystem name Set or get mode for a specified subsystem.
N.B. Specifying an unknown subsystem does not generate an error!

--category name Set or get mode for a specified category. If category is supplied, subsystem is required.

--process pid|name Set mode for a specified pid.

--mode key:value

enables mode.

level: off | default | info | debug
The level is a hierarchy, e.g. debug implies debug, info, and default.
off can only be used with a process.

persist: off | default | info | debug}

stream:  live | default

log config --mode "level:default" sets the system level .

--reset

--status

If reset or status is not specified, a change to the configuration is assumed.
Example:

 sudo log config --status
System mode = INFO

--subsystem subsys resets subsystem to default settings. "log config

erase

Default: main log datastore will be deleted.

--all

--ttl       data marked with a time-to-livesudo log erase --ttl
Deleted selected logs

Predicate-based Filtering

The filter argument defines one or more pattern clauses .

Suggested use ' around the entire predicate and " around strings.

< , <= , == , != , <> , > , >=
and, && , or, || , not, ! , ( , )

LIKE ,MATCHES
BEGINSWITH, CONTAINS "pattern" , BETWEEN{ low , high } (inclusive) , ENDSWITH

ANY , ALL , SOME , NONE , IN { v1 , v2 [, … ]}

array[i] , array[ FIRST ] , array[ LAST ] , array[ SIZE ]

n , xHH , "ssttrriiinngg" , nil

More at developer.apple.com/library

Keys include:

`eventType`	`logEvent, traceEvent, activityCreateEvent, or activityTransitionEvent.`
`eventMessage`	`pattern`
`messageType`	`"default" , "info" , "debug" , etc.`
`processImagePath`	pattern within the name of the process that originated the event.
`senderImagePath`	pattern within the name of the sender that originated the event. specific library, framework, kext, or any valid mach-o binary that is executed.
`subsystem`	pattern within the subsystem of the event. Only with os_log(3) APIs.
`category`	pattern within the cateogry of the event. Only with os_log(3) APIs. `subsystem` is required

FILTERING EXAMPLES

Show time machine activity

log show --predicate 'subsystem == "com.apple.TimeMachine"' --info

Filter for specific subsystem:

      log show --predicate 'subsystem == "com.example.my_subsystem"'

Filter for specific subsystem and category:

  log show --predicate '(subsystem == "com.example.my_subsystem") && (category == "desired_category")'

Filter for specific subsystem and categories:

log show --predicate '(subsystem == "com.example.my_subsystem") && (category IN { "category1", "category2" })'

Filter for a specific subsystem and sender(s):

log show --predicate '(subsystem == "com.example.my_subsystem") && ((senderImagePath ENDSWITH "mybinary") || (senderImagePath ENDSWITH "myframework"))'

PREDICATE-BASED FILTERING EXAMPLES WITH LOG LINE

log show system_logs.logarchive --predicate 'subsystem == "com.example.subsystem" and category contains "CHECK"'

     Timestamp                       Thread     Type        Activity     PID
     2016-06-13 11:46:37.248693-0700 0x7c393    Default     0x0          10371  timestamp: [com.example.subsystem.CHECKTIME] Time is 06/13/2016 11:46:37

log show --predicate 'processImagePath endswith "hidd" and senderImagePath contains[cd] "IOKit"' --info

     Timestamp                       Thread     Type        Activity     PID
     2016-06-10 13:54:34.593220-0700 0x250      Info        0x0          113    hidd: (IOKit) [com.apple.iohid.default] Loaded 6 HID plugins

ENVIRONMENT

`OS_ACTIVITY_MODE`	`info` Enables info level messages. Does not override logging Preferences that have info level disabled. `debug` Enables debug level messages which includes info level messages. Does not override logging Preferences that have info level or debug level disabled.
`OS_ACTIVITY_STREAM`	Change the type of streaming enabled. live Live streaming from the process using IPC.
`OS_ACTIVITY_PROPAGATE_MODE`	If set, will propagate the mode settings via activities.

Files

The logging system stores content in /var/db/diagnostics and references content in /var/db/uuidtext.

Seem to be cut up in 10MB chunks

Kept for like 10 Days

/var/db/diagnostics >lt

        68    Jul  9 13:35 HighVolume/
       102    Jul  9 13:37 timesync/
 1,094,285 Aug 25 18:49 logdata.statistics.1.txt
       484   Sep 17 11:27 version.plist
    71,954  Sep 17 21:02 shutdown.log
       986          07:30 Persist/
   59,3279         15:48 logdata.statistics.0.txt
      4386          15:48 Special/
db/diagnostics >du
  0       ./HighVolume
 68       ./timesync
 46,788   ./Special
244,640   ./Persist
293,224  .

log show|more
Timestamp                       Thread     Type        Activity PID  TTL  
2020-10-03 16:51:08.068420-0400 0x0        Timesync    0      0      0    === log class: TTL more than 14 days begins
2020-10-21 13:36:47.000000-0400 0x0        Timesync    0      0      0    === system boot: 7A33DF77-738A-4200-8B2B-E1ABD6287638
2020-10-21 13:37:05.289824-0400 0x2e8      Default     0      204    3    bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] Bluetooth preference version 6
2020-10-21 13:37:05.370248-0400 0x3b0      Default     0      209    3    AirPlayXPCHelper: (BluetoothAudio) [com.apple.bluetooth:BTFigE] Add Listeners
2020-10-21 13:37:05.370275-0400 0x3b0      Default     0      209    3    AirPlayXPCHelper: (BluetoothAudio) [com.apple.bluetooth:BTFigE] Created BluetoothEndpointManager 0x7f89a970ecd0 with TargetUserSession: 1
2020-10-21 13:37:05.492914-0400 0x2e8      Error       0      204    3    bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] [DaemonWritePersistentPort] CFRunLoopAddSource 0x7fa0d0c0e660, 2503.
2020-10-21 13:37:05.492932-0400 0x2e8      Default     0      204    3    bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] [serialManagerShowsUp] notification 2503.
2020-10-21 13:37:05.493050-0400 0x2e8      Error       0      204    3    bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] [DaemonWritePersistentPort] CFRunLoopAddSource 0x7fa0d0c0ecb0, 1f03.

 log show --predicate 'subsystem == "com.apple.TimeMachine"' --info |more
Filtering the log data using "subsystem == "com.apple.TimeMachine""
Skipping debug messages, pass --debug to include.
Timestamp                       Thread     Type        Activity   PID  TTL  
2020-10-28 17:05:00.493243-0400 0x2fd2cd   Error       0        269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to determine if '/Volumes/Recovery' is a recovery volume, 
                                                                                        error: Disk object invalid or unable to serialize
2020-10-28 17:20:02.010723-0400 0x2fea3c   Info        0        269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] TMPowerState: 2
2020-10-28 17:20:32.075356-0400 0x2fd351   Info        0        269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] TMPowerState: 2
2020-10-28 17:20:32.075569-0400 0x2fd351   Info        0        269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:General] Not starting scheduled Time Machine backup: No destinations resolvable
2020-10-28 17:40:19.949301-0400 0x2fd351   Info        0        269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] Thermal pressure level 0 -> 1
2020-10-28 17:40:23.031879-0400 0x2fd351   Info        0        269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:PowerManagement] Thermal pressure level 1 -> 0

log show --predicate 'subsystem == "com.apple.TimeMachine" and logType == error' |cut -f2- -d' ' #looses color
Filtering the log data using "subsystem == "com.apple.TimeMachine" AND logType == 16"
Skipping info and debug messages, pass --info and/or --debug to include.
Thread     Type        Activity PID    TTL  
17:05:00.493243-0400 0x2fd2cd   Error       0x0       269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to determine if '/Volumes/Recovery' is a recovery volume, error: Disk object invalid or unable to serialize
17:54:23.341916-0400 0x1601     Error       0x0       269    0    backupd-helper: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to determine if '/Volumes/Install macOS Big Sur Beta' is a recovery volume, error: Disk object invalid or unable to serialize
18:41:28.459335-0400 0x2743     Error       0x0       855    0    NotificationCenter: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
 19:13:49.526599-0400 0x7275     Error       0x13eef   163    0    tccd: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
 08:19:18.458021-0400 0xfe3      Error       0x0       436    0    NotificationCenter: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
 08:22:55.043915-0400 0xf1e      Error       0x0       426    0    NotificationCenter: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
 11:55:05.138392-0400 0x19bfb    Error       0x2cf82   162    0    tccd: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to get role for volume '/Volumes/DATA' (/dev/disk1s2), error: -536870174
 12:01:39.521564-0400 0x1d01d    Error       0x0                  322    0    backupd: (TimeMachine) [com.apple.TimeMachine:General] 
Failed to wait for snapshot deletion to complete on disk '/private/tmp/msu-target-5r1kRpjo', error: 
Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"

SEE

os_log(3), os_trace(3)
Darwin May 10, 2016