Unified Logging on macOS

What is Unified Logging?

Unified Logging is Apple’s systemwide logging mechanism introduced with macOS Sierra (10.12). It centralises and standardises logging across the operating system and all applications, providing a comprehensive and consistent way to capture, store, and analyse logs.

Why is Logging Useful to a Sysadmin?

Logging is crucial for system administrators because it provides insights into system and application behavior. It helps in:

Troubleshooting: Diagnosing issues and identifying root causes.

Monitoring: Keeping track of system performance and activities.

Auditing: Ensuring compliance with security policies.

Maintenance: Predicting and preventing potential issues.

Why is Unified Logging Useful for Security?

Unified Logging enhances security by offering:

Comprehensive Visibility: Logs from all parts of the system in one place.

Realtime Monitoring: Immediate detection of suspicious activities.

Detailed Records: Granular logs that can aid in forensic analysis.

Controlled Access: Secure and managed access to log data.

Location on Mac the Logs are Stored

Logs in macOS are stored in various directories, but Unified Logging specifically uses the following paths:

• /var/db/diagnostics
• /var/log
• /Library/Logs

 `log` Command

The `log` command is the primary tool for interacting with the Unified Logging system. It allows you to view, filter, and manage logs.

Basic Syntax

log show [options]

log stream [options]

Example: Viewing Logs for a Specific Process

log show predicate 'process == "Finder"' info

Predicates

Predicates allow you to filter log entries based on specific criteria.

 Example: Show Logs Within a Given Time Frame

log show predicate 'eventMessage contains "error"' info start "20230601 00:00:00" end "20230601 23:59:59"

 Log Levels

 default: Standard log messages.

 info: Informational messages.

 debug: Debugging information.

 error: Errors that need attention.

 fault: Severe errors that likely lead to a crash.

Specified Log Level

Filter logs by their level (default, info, debug, error, fault).

Example: Filter by Log Level

log show predicate 'messageType == error'

Log Stats

The `log stats` command provides statistical information about log entries.

Example: Viewing Log Statistics

log stats overview

Subsystems and Categories

Logs can be categorised by subsystems and categories, helping to organise log data.

 Example: Filtering by Subsystem

log show predicate 'subsystem == "com.apple.network"'

Log Archive

To create a log archive for the further analysis

log collect --output <path_to_logarchive>.logarchive

Syslog

`syslog` is the traditional logging system that Unified Logging supersedes but remains available for compatibility.

 Example: Viewing Syslog

syslog k Sender Finder

SystemLogging

SystemLogging is the background process that handles the logging infrastructure. Understanding its functionality can help in managing and troubleshooting logging issues.

Sysdiagnose

`sysdiagnose` is a powerful tool that collects extensive system diagnostics, including logs.

Example: Running Sysdiagnose

sudo sysdiagnose f /path/to/output

Profiles and Logs

Profiles (configuration profiles) can be used to manage logging settings across multiple systems, ensuring consistent logging policies.

Example: Applying a Configuration Profile

sudo profiles I F /path/to/profile.mobileconfig

Unified Logging on macOS offers a powerful and flexible system for managing log data, essential for effective system administration and security. By mastering the `log` command and understanding the structure and storage of logs, sysadmins can greatly enhance their ability to monitor, troubleshoot, and secure macOS systems.