as of 3/21/23 Monterey

/etc/asl

Must they exist??

   com.apple.MessageTracer
# redirect com.apple.message.domain to /var/log/DiagnosticMessages
? [T com.apple.message.domain] claim only
* store_dir /var/log/DiagnosticMessages ttl=30

   com.apple.authd
? [= Sender authd] claim only
* file /var/log/authd.log mode=0640 compress format=bsd rotate=seq file_max=5M all_max=20M
? [<= Level error] file /var/log/system.log
? [<= Level error] store

   com.apple.cdscheduler
# /etc/asl/com.apple.cdscheduler
> cdscheduler.log format=std rotate=local ttl=3 all_max=2M compress
? [= Sender com.apple.CDScheduler] file cdscheduler.log
? [= Sender com.apple.CDScheduler] [> Level error] claim

   com.apple.contacts.ContactsAutocomplete
> /var/log/com.apple.contacts.ContactsAutocomplete mode=0750
? [= Facility com.apple.contacts.ContactsAutocomplete] claim only
? [= Facility com.apple.contacts.ContactsAutocomplete] [= Category Debug] 
        file /var/log/com.apple.contacts.ContactsAutocomplete/Debug.log rotate=Debug.local.log 
        ttl=7 file_max=10M all_max=200M compress 
        fmt='$(Time) $(Host) $(Sender)[$(PID) $(ThreadID)] <$((Level)(str))>: $(Function):$(Line) | $(Message)'
? [= Facility com.apple.contacts.ContactsAutocomplete] [= Category Performance] 
        file /var/log/com.apple.contacts.ContactsAutocomplete/Performance.log rotate=Performance.local.log 
        ttl=7 file_max=10M all_max=200M compress 
        fmt='$(Time) $(Host $(Sender)[$(PID) $(ThreadID)] <$((Level)(str))>: $(Function):$(Line) | $(Message)'
? [= Facility com.apple.contacts.ContactsAutocomplete] [= Category Sorting] 
        file /var/log/com.apple.contacts.ContactsAutocomplete/Sorting.log rotate=Sorting.local.log 
        ttl=7 file_max=10M all_max=200M compress 
        fmt='$(Time) $(Host) $(Sender)[$(PID) $(ThreadID)] <$((Level)(str))>: $(Function):$(Line) | $(Message)'
? [= Facility com.apple.contacts.ContactsAutocomplete] [= Category Probes] 
        file /var/log/com.apple.contacts.ContactsAutocomplete/Probes.log rotate=Probes.local.log 
        ttl=7 file_max=10M all_max=200M compress 
        fmt='$(Time) $(Host) $(Sender)[$(PID) $(ThreadID)] <$((Level)(str))>: $(Function):$(Line) | $(Message)'

   com.apple.coreduetd
# Even though coreduetd currently does not use ASL, this tells ASLmanager to rotate the log file
# daily by copying it, compressing it, and then truncating the existing file. 
# It will also delete files older than 1 day old.
> /var/log/CoreDuet/coreduetd.log extern rotate=local extern rotate=local compress truncate mode=0644 ttl=1 all_max=16M

   com.apple.eventmonitor
# redirect com.apple.eventmonitor* messages to /var/log/eventmonitor
? [A= Facility com.apple.eventmonitor] claim only
* store_dir /var/log/eventmonitor

   com.apple.install
# install messages get saved only in /var/log/install.log
? [= Facility install] claim only
* file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]
 $Message' rotate=seq compress file_max=50M all_max=150M size_only

   com.apple.iokit.power
? [= Facility com.apple.iokit.power] claim only
* store_dir /var/log/powermanagement rotate=local ttl=14
# Guest logs are admin readable and copied to limited-duration Guest.log
# This module is only enabled when user "Guest" is logged in.
= enable 0
= [= ut_user Guest] [= ut_type 7] enable 1
= [= ut_user Guest] [= ut_type 8] enable 0
? [= UID 201] access 0 80
? [= UID 201] file /Users/Guest/Library/Logs/Guest.log soft

   com.apple.mail
# mail facility has its own log file
? [= Facility mail] claim only
> /var/log/mail.log mode=0644 format=bsd rotate=seq compress file_max=5M all_max=50M
* file /var/log/mail.log

   com.apple.mkb
> /private/var/log/keybagd.log soft compress format=bsd rotate=seq file_max=5M all_max=20M ttl=5
? [= Sender keybagd] claim                                  file keybagd.log
? [= Sender kernel] [CA= Message AppleKeyStore]             file keybagd.log
? [= Sender UserEventAgent] [CS= Message LockStateNotifier] file keybagd.log
? [= Sender kernel] [CA= Message AppleSEPKeyStore]          file keybagd.log

   com.apple.mkb.internal
= enable [File /private/var/root/.mkb_debug]

   com.apple.mkb.internal
> /private/var/log/keybagd.log
? [= Sender kernel] [CA= Message SEP]                       file keybagd.log
? [= Sender SpringBoard] [CS= Message MC ]                  file keybagd.log
? [= Sender SpringBoard] [CS= Message secure lock screen]   file keybagd.log
? [= Sender backboardd] [CA= Message MultitouchHID]         file keybagd.log
? [= Sender profiled]                                       file keybagd.log
? [= Sender mdmd]                                           file keybagd.log

   com.apple.networking.boringssl
= enable [Plist /Library/Preferences/com.apple.networkd.plist] [= boringssl_log_debug 1]
? [= Facility com.apple.networking.boringssl] 
        file /Library/Logs/CrashReporter/com.apple.networking.boringssl.log rotate=local-basic crashlog 
        file_max=1M compress 
        format=$((Time)(local.6))\ $Host\ $(Sender)[$(PID)]\ <$((Level)(str))> \ $(Message)
> /Library/Logs/CrashReporter mode=0755

   com.apple.performance
# redirect com.apple.performance* messages to /var/log/performance
? [A= Facility com.apple.performance] claim only
* store_dir /var/log/performance


com.apple.MessageTracer    
com.apple.authd
com.apple.cdscheduler
com.apple.contacts.ContactsAutocomplete
com.apple.coreduetd
com.apple.eventmonitor          
com.apple.install               
com.apple.iokit.power                   
com.apple.login.guest
com.apple.mail
com.apple.mkb
com.apple.mkb.internal
com.apple.networking.eapol


com.apple.networking.boringssl
com.apple.performance





ASL config "claims" syslog

log