log

Access system wide log messages created by os_log, os_trace and other logging systems.

log [command [options]]

log help [command]

log collect [--output path] [--start date/time] [--size num [k|m]]

log config [--reset | --status] [--mode mode(s)] [--subsystem name [--category name]] [--process pid]

log erase [--all] [--ttl] [--faulterror]

log show [archive | file] [--predicate filter] [--source] [--style json | syslog] [--start date/time] [--end date/time] [--info] [--debug] [--last time [m|h|d]]

log stream [--level default | info | debug] [--parent pid | process] [--process pid | process] [--predicate filter] [--source] [--style json | syslog] [--timeout time [m|h|d]] [--type activity | log | trace]

Used to access system wide log messages created by os_log, os_trace and other logging systems.

help [command]
collect [path] to .logarchive that can be viewed later with tools such as log or Console.
Default .logarchive current directory.
--output path path or file.
--start date/time Limits capture from date/ time to now.
YYYY-MM-DD[ HH:MM:SS.
--size num [k|m] Example: "--size 100k" or "--size 20m"
config Configure, reset or read settings . Config commands can act system-wide or on a subsystem.
If not specified, system-wide is assumed.
If subsystem is specified, category is optional. Requires root access. Shows contents of the system log datastore, archive or a specific tracev3 file. If a file or archive is not specified, the system datastore will be shown. The output contains only default level messages unless --info and/or --debug are specified.
--reset
--status
If reset or status is not specified, a change to the configuration is assumed.
For example,
> sudo log config --status
System mode = INFO
"log config --reset
--subsystem com.mycompany.mysubsystem" resets subsystem to default settings. "log config
--status" will show the current system-wide logging settings.
log config --mode "level: default"" will set the system log level to default.
--subsystem name Set or get mode for a specified subsystem.
--category name Set or get mode for a specified category. If category is supplied, subsystem is required.
--process pid Set mode for a specified pid.
--mode mode(s) enables mode. level: {off | default | info | debug} The level is a hierarchy, e.g. debug implies debug, info, and default. Off can only be used with process.

persist: {off | default | info | debug}

erase Delete selected log data from the system. If no arguments are specified, the main log datastore and inflight log data will be deleted.
--all
--ttl
--faulterror
show [archive | file]
--predicate filter Filters messages based on the provided predicate, based on NSPredicate. A compound predicate or multi- ple predicates can be provided. See section "PREDICATE-BASED FILTERING" below.
--source Include symbol names and source line numbers for messages
--style json
--style syslog
--start date/time
--end date/time
--info includes info level messages
--debug
--last time [m|h|d] Time may be specified as minutes, hours or days. Defaiult:seconds.
example, "--last 30", "--last 3m", "--last 8h", "--last 2d"
stream Stream activities, log data or trace messages for the system or from a given process.
default, the command assumes system-wide streaming.
Specify a process id with --process to narrow the results.
--level default |
        info |
        debug
Shows messages at specified level and below. The level is a hierarchy. Specifying debug implies debug, info and default.
--predicate filter Filters messages using the provided predicate based on NSPredicate. A compound predicate or multiple predicates can be provided. See section "PREDICATE-BASED FILTERING" below.
--parent pid |
         process
Any child process of the provided process or pid will stream messages associated with the same activity id.
--process pid |
          process
The process on which to operate. This option can be passed more than once to operate on multiple processes.
--style json |
        syslog
Output the content as
--source Include symbol names and source line numbers for messages, if available.
--timeout time [m|h|d] Timeout the stream operation after a specified time,
Example: --timeout 5m, --timeout 1h If minutes, hours, days not specified, seconds will be used.
--type activity |
       log |
       trace
Dictates the type of events to stream from a process. By default all types are streamed unless otherwise specified. Pass an appropriate --type for each requested type of event.

PREDICATE-BASED FILTERING

Using predicate-based filters via the --predicate option allows users to focus on messages based on the provided filter criteria. For detailed information on the use of predicate based filtering, please refer to the Predicate Programming Guide: developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax

The filter argument defines one or more pattern clauses following NSPredicate rules. Supported keys include:

eventType logEvent, traceEvent, activityCreateEvent, or activityTransitionEvent.
eventMessage pattern  
messageType :default", "info", "debug", etc.
processImagePath pattern within the name of the process that originated the event.
senderImagePath pattern within the name of the sender that originated the event. specific library, framework, kext, or any valid mach-o binary that is executed.
subsystem pattern within the subsystem of the event. Only with os_log(3) APIs.
category pattern within the cateogry of the event. Only with os_log(3) APIs. When category is used, the subsystem filter should also be provided.

FILTERING EXAMPLES

Show time machine activity
log show --predicate 'subsystem == "com.apple.TimeMachine"' --info
Filter for specific subsystem:
      log show --predicate 'subsystem == "com.example.my_subsystem"'
Filter for specific subsystem and category:
  log show --predicate '(subsystem == "com.example.my_subsystem") && (category == "desired_category")'
Filter for specific subsystem and categories:
log show --predicate '(subsystem == "com.example.my_subsystem") && (category IN { "category1", "category2" })'
Filter for a specific subsystem and sender(s):
log show --predicate '(subsystem == "com.example.my_subsystem") && ((senderImagePath ENDSWITH "mybinary") || (senderImagePath ENDSWITH "myframework"))'
PREDICATE-BASED FILTERING EXAMPLES WITH LOG LINE
log show system_logs.logarchive --predicate 'subsystem == "com.example.subsystem" and category contains "CHECK"'

     Timestamp                       Thread     Type        Activity     PID
     2016-06-13 11:46:37.248693-0700 0x7c393    Default     0x0          10371  timestamp: [com.example.subsystem.CHECKTIME] Time is 06/13/2016 11:46:37

     log show --predicate 'processImagePath endswith "hidd" and senderImagePath contains[cd] "IOKit"' --info

     Timestamp                       Thread     Type        Activity     PID
     2016-06-10 13:54:34.593220-0700 0x250      Info        0x0          113    hidd: (IOKit) [com.apple.iohid.default] Loaded 6 HID plugins

ENVIRONMENT

OS_ACTIVITY_MODE info Enables info level messages. Does not override logging Preferences that have info level disabled.
debug Enables debug level messages which includes info level messages. Does not override logging Preferences that have info level or debug level disabled.
OS_ACTIVITY_STREAM Change the type of streaming enabled. live Live streaming from the process using IPC.
OS_ACTIVITY_PROPAGATE_MODE If set, will propagate the mode settings via activities.

Files

The logging system stores content in /var/db/diagnostics and references content in /var/db/uuidtext.

Seem to be cut up in 10MB chunks

Kept for like 10 Days

/var/db/diagnostics >lt

        68    Jul  9 13:35 HighVolume/
       102    Jul  9 13:37 timesync/
 1,094,285 Aug 25 18:49 logdata.statistics.1.txt
       484   Sep 17 11:27 version.plist
    71,954  Sep 17 21:02 shutdown.log
       986          07:30 Persist/
   59,3279         15:48 logdata.statistics.0.txt
      4386          15:48 Special/
db/diagnostics >du
  0       ./HighVolume
 68       ./timesync
 46,788   ./Special
244,640   ./Persist
293,224  .

SEE

os_log(3), os_trace(3)
Darwin May 10, 2016