What is Unified Logging?
Unified Logging is Apple’s systemwide logging mechanism introduced with macOS Sierra (10.12). It centralises and standardises logging across the operating system and all applications, providing a comprehensive and consistent way to capture, store, and analyse logs.
Why is Logging Useful to a Sysadmin?
Logging is crucial for system administrators because it provides insights into system and application behavior. It helps in:
Troubleshooting: Diagnosing issues and identifying root causes.
Monitoring: Keeping track of system performance and activities.
Auditing: Ensuring compliance with security policies.
Maintenance: Predicting and preventing potential issues.
Why is Unified Logging Useful for Security?
Unified Logging enhances security by offering:
Comprehensive Visibility: Logs from all parts of the system in one place.
Realtime Monitoring: Immediate detection of suspicious activities.
Detailed Records: Granular logs that can aid in forensic analysis.
Controlled Access: Secure and managed access to log data.
Location on Mac the Logs are Stored
Logs in macOS are stored in various directories, but Unified Logging specifically uses the following paths:
- /var/db/diagnostics
- /var/log
- /Library/Logs
`log` Command
The `log` command is the primary tool for interacting with the Unified Logging system. It allows you to view, filter, and manage logs.
Basic Syntax
log show [options]
log stream [options]
Example: Viewing Logs for a Specific Process
log show predicate 'process == "Finder"' info
Predicates
Predicates allow you to filter log entries based on specific criteria.
Example: Show Logs Within a Given Time Frame
log show predicate 'eventMessage contains "error"' info start "20230601 00:00:00" end "20230601 23:59:59"
Log Levels
default: Standard log messages.
info: Informational messages.
debug: Debugging information.
error: Errors that need attention.
fault: Severe errors that likely lead to a crash.
Specified Log Level
Filter logs by their level (default, info, debug, error, fault).
Example: Filter by Log Level
log show predicate 'messageType == error'
Log Stats
The `log stats` command provides statistical information about log entries.
Example: Viewing Log Statistics
log stats overview
Subsystems and Categories
Logs can be categorised by subsystems and categories, helping to organise log data.
Example: Filtering by Subsystem
log show predicate 'subsystem == "com.apple.network"'
Log Archive
To create a log archive for the further analysis
log collect --output <path_to_logarchive>.logarchive
Syslog
`syslog` is the traditional logging system that Unified Logging supersedes but remains available for compatibility.
Example: Viewing Syslog
syslog k Sender Finder
SystemLogging
SystemLogging is the background process that handles the logging infrastructure. Understanding its functionality can help in managing and troubleshooting logging issues.
Sysdiagnose
`sysdiagnose` is a powerful tool that collects extensive system diagnostics, including logs.
Example: Running Sysdiagnose
sudo sysdiagnose f /path/to/output
Profiles and Logs
Profiles (configuration profiles) can be used to manage logging settings across multiple systems, ensuring consistent logging policies.
Example: Applying a Configuration Profile
sudo profiles I F /path/to/profile.mobileconfig
Unified Logging on macOS offers a powerful and flexible system for managing log data, essential for effective system administration and security. By mastering the `log` command and understanding the structure and storage of logs, sysadmins can greatly enhance their ability to monitor, troubleshoot, and secure macOS systems.