peeling back the bark > @chilcote - Join us July...
Transcript of peeling back the bark > @chilcote - Join us July...
![Page 1: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/1.jpg)
peeling back the bark
> @chilcote
![Page 2: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/2.jpg)
Legacy
Apple System Logger (asl)Unix (syslog)
Audit logs (BSM)
![Page 3: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/3.jpg)
NOTE: Most system logs have moved to a new logging system. See log(1) for more
information.
> syslog manpage
![Page 4: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/4.jpg)
Unified Logging
Cross-deviceBinary format
Volatile
![Page 5: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/5.jpg)
brevity
vs
verbosityverbosityverbosityverbosityverbosityverbosityverbosity
![Page 6: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/6.jpg)
All you have to do is write one true sentence. Write the truest sentence that you know.
> Ernest Hemingway
![Page 7: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/7.jpg)
"For sale: baby shoes, never worn."
> Ernest Hemingway
![Page 8: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/8.jpg)
"Wait," he said, staring. "You're me.""
> Don't judge; I got free tickets
![Page 9: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/9.jpg)
I've put in so many enigmas and puzzles that it will keep the professors busy for centuries
arguing over what I meant, and that's the only way of insuring one's immortality.
> James Joyce
![Page 10: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/10.jpg)
![Page 11: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/11.jpg)
I have eaten the plums that were in the icebox
> brevity
![Page 12: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/12.jpg)
We few, we happy few, we band of brothers;For he to-day that sheds his blood with me
Shall be my brother; be he ne'er so vile,This day shall gentle his condition
> verbosity
![Page 13: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/13.jpg)
More is better, really
> Apple Technote tn2347
![Page 14: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/14.jpg)
single, efficient, performant API
> Apple Dev Site
![Page 15: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/15.jpg)
Log levels
Types of messagespersistence
Configuration Profiles
![Page 16: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/16.jpg)
Log level: default
Potential FailuresMemory buffer
Data storePurged
![Page 17: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/17.jpg)
Log level: info
Non-essentialMemory buffer
Faults saved to Data StorePurged
![Page 18: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/18.jpg)
Log level: debug
Dev onlyMemory Buffer
Configuration changePurged
![Page 19: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/19.jpg)
Log level: error
Process-level errorsNot buffered
Data StorePurged
![Page 20: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/20.jpg)
Log level: Fault
System-level errorsMulti-process errors
Data StorePurged
![Page 21: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/21.jpg)
Data Store
tracev3 (compressed binary) formatted /var/db/diagnostics
/var/db/uuidtext
![Page 22: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/22.jpg)
Legacy APIsNSLogsyslog
asl_log_message
![Page 23: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/23.jpg)
New APIsos_log
os_log_infoos_log_debugos_log_faultos_log_create
![Page 24: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/24.jpg)
Log FormatTimestamp Thread Type Activity PID 2017-07-14 09:25:00.177592-0700 0bn0X Fault 0x8005428c 343 macadminsd: (PSUMacAdmins) [com.psumac.pay.attention] [ERROR] get off of twitter
![Page 25: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/25.jpg)
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
![Page 26: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/26.jpg)
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
![Page 27: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/27.jpg)
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
![Page 28: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/28.jpg)
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
![Page 29: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/29.jpg)
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
![Page 30: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/30.jpg)
signal
vs
noise noise noise noise noisenoise noise noise noise noise noise
noise noise noise noise noise noise noisenoise noise noise noise noise noise
noise noise noise noise noise noise noisenoise noise noise noise noise noise
noise noise noise noise noise
![Page 31: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/31.jpg)
![Page 32: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/32.jpg)
$ logusage: log <command>
global options: -?, --help -q, --quiet -v, --verbose
examples: log show log collect log erase --all log help stream
commands: collect, config, erase, show, stream
further help: log help <command>
![Page 33: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/33.jpg)
$ logusage: log <command>
global options: -?, --help -q, --quiet -v, --verbose
examples: log show log collect log erase --all log help stream
commands: collect, config, erase, show, stream
further help: log help <command>
![Page 34: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/34.jpg)
log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'
![Page 35: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/35.jpg)
log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'
![Page 36: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/36.jpg)
log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'
![Page 37: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/37.jpg)
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
![Page 38: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/38.jpg)
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
![Page 39: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/39.jpg)
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
![Page 40: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/40.jpg)
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
![Page 41: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/41.jpg)
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
![Page 42: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/42.jpg)
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
![Page 43: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/43.jpg)
![Page 44: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/44.jpg)
log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default
![Page 45: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/45.jpg)
log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default
![Page 46: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/46.jpg)
log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default
![Page 47: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/47.jpg)
log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m
![Page 48: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/48.jpg)
log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m
![Page 49: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/49.jpg)
log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m
![Page 50: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/50.jpg)
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 \ --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
![Page 51: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/51.jpg)
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
![Page 52: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/52.jpg)
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
![Page 53: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/53.jpg)
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
![Page 54: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/54.jpg)
log erase --alllog erase --ttl
![Page 55: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/55.jpg)
log erase --alllog erase --ttl
![Page 57: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/57.jpg)
Console.app
![Page 58: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/58.jpg)
INTERMISSION
![Page 59: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/59.jpg)
steagles
> 1943
![Page 60: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/60.jpg)
Writing logs
![Page 61: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/61.jpg)
Writing logs
Logic and branchingUnique and easy to find text patterns
Variable and property valuesWho is being called?
Log a backtrace of your stack!
![Page 62: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/62.jpg)
Writing logs
Don't litter the logsAnnotate high-frequency logs for filtering
Generate context-specific sysdiagnosesSpecify user-concerning issues
> Daniel Jalkut
![Page 63: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/63.jpg)
logger -is -t foo "Hello PSU"log show --predicate \ 'eventMessage contains "Hello PSU"' \ --last 5m
![Page 64: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/64.jpg)
logger -is -t foo "Hello PSU"log show --predicate \ 'eventMessage contains "Hello PSU"' \ --last 5m
![Page 65: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/65.jpg)
>>> from Foundation import NSLog>>> NSLog("Hello PSU")2017-07-08 16:21:53.917 Python[3233:179310] Hello PSU
![Page 66: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/66.jpg)
log stream --predicate 'eventMessage contains "Hello PSU"' --infoFiltering the log data using "eventMessage CONTAINS "Hello PSU""Timestamp Thread Type Activity PID 2017-07-08 16:21:53.917539-0700 0x2bc6e Default 0x0 3233 Python: (libffi.dylib) Hello PSU
![Page 67: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/67.jpg)
log stream --predicate 'eventMessage contains "Hello PSU"' --infoFiltering the log data using "eventMessage CONTAINS "Hello PSU""Timestamp Thread Type Activity PID 2017-07-08 16:21:53.917539-0700 0x2bc6e Default 0x0 3233 Python: (libffi.dylib) Hello PSU
![Page 68: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/68.jpg)
More is better, really
![Page 69: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/69.jpg)
Examples
![Page 70: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/70.jpg)
log show --debug \ --predicate \ 'process == "EmbeddedOSInstallService"'
![Page 71: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/71.jpg)
log stream --info \ --debug \ --predicate \ 'processImagePath contains "cloudconfig"'
![Page 72: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/72.jpg)
log show --predicate \ 'eventMessage contains "Previous shutdown cause"' \ --last 24h
![Page 73: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/73.jpg)
log show --predicate \ 'eventMessage contains "ECDebug"' \ --last 10m
![Page 74: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/74.jpg)
log stream --style syslog \ --process "Imagr" \ --type log
![Page 75: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/75.jpg)
log show \ --predicate 'eventMessage contains "BOOT_TIME"' \ --style json \ --info
![Page 76: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/76.jpg)
log show \ --predicate 'eventMessage contains "System Wake"' \ --style json \ --info
![Page 77: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/77.jpg)
<key>com.apple.SCEP</key><dict> <key>DEFAULT-OPTIONS</key> <dict> <key>Default-Privacy-Setting</key> <string>Public</string> <key>Level</key> <dict> <key>Enable</key> <string>debug</string> <key>Persist</key> <string>debug</string> </dict> </dict></dict>
![Page 79: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/79.jpg)
![Page 80: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/80.jpg)
Thank you
> @chilcote
![Page 81: peeling back the bark > @chilcote - Join us July 10macadmins.psu.edu/files/.../07/psumac2017-205-Peeling-Back-the-Bark... · peeling back the bark > @chilcote. Legacy Apple System](https://reader030.fdocuments.in/reader030/viewer/2022020305/5c10b50109d3f26c2d8d0250/html5/thumbnails/81.jpg)
Referenceshttps://developer.apple.com/reference/os/logginghttps://developer.apple.com/videos/play/wwdc2016/721/http://asciiwwdc.com/2016/sessions/721https://developer.apple.com/bug-reporting/profiles-and-logs/?platform=macoshttps://developer.apple.com/library/content/technotes/tn2347/_index.htmlhttps://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.htmlhttps://eclecticlight.co/2016/09/29/welcome-to-macos-sierras-new-console-its-buried-in-terminalhttps://eclecticlight.co/2016/09/23/sierras-console-promising-but-incomplete/https://eclecticlight.co/2016/10/01/using-the-logs-in-sierra-some-practical-tips/http://krypted.com/mac-os-x/log-logs-logger/http://krypted.com/mac-os-x/macos-logging-subsystems-gist/https://gist.github.com/krypted/495e48a995b2c08d25dc4f67358d1983http://www.amsys.co.uk/2017/01/state-of-logging/http://www.modtitan.com/2017/04/finding-shutdown-causes-in-macos.htmlhttps://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logginghttp://blog.eriknicolasgomez.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/https://github.com/grahamgilbert/imagr/wiki/Troubleshootinghttp://bitsplitting.org/2016/10/26/log-littering/https://mosen.github.io/profiledocs/payloads/logging.html