Max OS version syslogd
unified logging


Sends and Reads messages of the system's log message data store

controls message filters displays configuration and modules

Sending a message to the syslog daemon

syslog -s message[-r host ] [-l level ]

syslog -s -k key value

-ssend a message. Also done by logger
-r host remote syslog server (see syslog.conf)
-l level set the log level (priority) of the message 1-7 or A, alert
    Emergency (0)       note counter-intuitive Emergency has a level less than Debug.
    Alert      (1)
    Critical   (2)       
    Error     (3)
    Warning    (4)       
    Notice     (5)       
    Info       (6)     
    Debug      (7) 
Accepts one or two leading characters for a level specification.
Use Em for Emergency and Er for Error.


syslog -s -l Er "Cannot mount /dev/disk0s14"
produces entry:(as displayed by kiwi )
2012-03-30 21:33:24 Kernel.Emerg smackerPro.germans syslog[71032]:Cannot mount /dev/disk0s14

syslog -s -r -l Em -k Facility eq mail "sent trhough LAN -l Em"
produces entry:(as displayed by kiwi )
O2012-03-30 21:51:12 Local7.Debug smackerPro.germans 107 [Sender syslog] [Level 0] [Facility eq] [mail sent trhough LAN -l Em] [Time 1333158663] [Host smackerPro]<000>

-k key val
  [key val]
structured message will be sent with keys and values as arguments.
A key or value with embedded white space must be enclosed in quotes.

Reading messages

syslog [-w] [-F format] [-u] expression

With no arguments, syslog displays all the messages in the data store with level < INFO.
note counter-intuitive Error has a level less than info.
(i.e. notices, warnings, errors, criticals, alerts and emergencies ).

-w displays last 36 messages and waits for new messages, ( similar to watching a log file using: tail -f /var/log/system.log
-u UTC is used to display time stamps
-F format
  • std Standard (default) format. simlar to bsd, includes the message priority level
    Sat Jul 10 18:29:24 smackerpro login[20636] <Notice>: USER_PROCESS: 20636 ttys006
    Sat Jul 10 18:41:17 smackerpro Activity Monitor[209] 
            <Error>: kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface
    Sat Jul 10 18:41:17 smackerpro \[0x0-0xa00a\][209] 
            <Notice>: Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\] <Error>: 
        kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface
  • bsd Format used by the syslogd daemon for system log files, e.g. /var/log/system.log.
  • raw Prints the complete message structure.
    Each key/value pair is enclosed in square brackets. Embedded closing brackets and white space are escaped.
    Time stamps are printed using UTC.

    [Time 1278800964] [Host smackerpro] [Sender login] [PID 20636] [UID 0] [GID 20] [Level 5]
     [Message USER_PROCESS: 20636 ttys006]
     [ASLMessageID 283631] [TimeNanoSec 683290000] [Facility]
     [ut_user dgerman] [ut_id s006] [ut_line ttys006] [ut_pid 20636] [ut_type 7] [ut_tv.tv_sec 1278800964] [ut_tv.tv_usec 682818]
     [ASLExpireTime 1310423364]
    [Time 1278801677] [Host smackerpro] [Sender Activity Monitor] [PID 209] [UID 501] [GID 20] [Level 3]
      [Message kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface]
     [ASLMessageID 283632] [TimeNanoSec 350398000] [Facility]
    [Time 1278801677] [Host smackerpro] [Sender \[0x0-0xa00a\]] [PID 209] [UID 501] [GID 20] [Level 5]
                [Message Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\] <Error>:
              kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface]
     [ASLMessageID 283633] [TimeNanoSec 363177000] [ReadUID 501] [Facility] [Session Aqua]

Custom format strings may include variables of the form $Name (or $(Name) if the key is not delimited by whitespace) For example:

syslog -F '$Time $Host $(Sender)[$(PID)]: $Message'

produces output :

 May 26 01:43:51 smacker Software Update[19720]: __choice_su_visible returned wrong type (())
 May 26 14:56:10 localhost mDNSResponder-108.5 (May  9 2007 15[-1]: 08:01)[63]: starting
 May 26 14:56:18 localhost DirectoryService[80]: Launched version 2.1 (v353.6)
 May 26 14:56:22 localhost mDNSResponder[-1]: Adding browse domain local.
 May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003
 May 26 14:56:22 localhost configd[67]: initCardWithStoredPrefs failed.
 May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003 

  • -k key message has the specified key, regardless of value.
  • -k key value message has exactly the specified value for the key.
  • -k key operator value
keys include: Time Sender Facility Level Host Pid Message (Case sensitive)


Specify matching criteria to filter for messages of interest>

A simple expression is a list of one or more key/value pairs.

operators include:
eq  equal gt greater than lt less than
ne not equal    ge  greater than or equal to   le  less than or equal
 The operator may be preceded by:
A prefix S substring Z suffix
C case-fold
R regular expression (see regex(3))

N numeric comparison Neq, Nne, Ngt, Nle …

For example, to find messages send by portmap :

syslog -k Sender portmap
Messages containing could not:
syslog -k Message Seq "Could not"

Multiple simple expressions match a message if all of the key-value operations match, i.e. AND of all of key-value operations.

 syslog -k Sender      -k Level eq Emergency

-o separates simple expressions and provides an OR operation.

To find all messages which have either a Sender portmap or that have a numeric priority level of 4 or less:

syslog -k Sender portmap    -o    -k Level Nle 4
For matching time stamps: An negative integer is the number of seconds before the current time.
To find all messages of priority level 3 (error) or greater which were logged in the last 5 minutes ( 300 seconds):
syslog -k Level Ngt 3 -k Time ge -300
a relative time value may be optionally followed by s, m, h, d, or w to specify seconds, minutes, hours, days, or weeks. week is 7 complete days (i.e. 604800 seconds) i.e. not since Sunday.
An unsigned integer value is the number of seconds since epoch (i.e. 00:00:00 , January 1, 1970, Coordinated Universal Time.


Filtering Controls

It appears , by inspection, as of 4/2/17 no processses have filters set

Clients of the "System Log Facility" (using either the asl or syslog interfaces) have a log filter mask which specifies if messages should be sent for each priority level.

syslog -c process [mask] [-s [on|off]] [-t [on|off ]]

0 (for master flags)
must be currently running

> /usr/bin/syslog -c systemstats
Process 208 syslog settings: 0x00000000 OFF / 0x00 Off
mask any combination of p a c e w n i d
Emergency (Panic), Alert, Critical, Error, Warning, Notice, Info, Debug
a minus sign preceding a single letter means "up to" that level

use "-c process off" to deactivate current settings

-s ASL messages
-t Activity Tracing mesages

A value is set for the Master filter, overrides the local filter for all processes.

To display the setting of the Master filter mask:

        > /usr/bin/syslog -c 0
        Master settings: 0x00000000 OFF / 0x00 Off 
        > sudo /usr/bin/syslog -c 0 d -t on
        > /usr/bin/syslog -c 0
        Master settings: 0x00070080 ON  ASL TRACE / 0x80 Debug
The master filter may be unset with:
sudo /usr/bin/syslog -c 0 off
To disable Debug and Info messages ,
To set the master filter level to cause all processes to log messages from Emergency up to Debug:
sudo /usr/bin/syslog -c 0 -d
Another filter mask is specified for an individual process. If a per-process filter mask is set, it overrides both the local filter mask and the master filter mask.

The default data store filter mask saves messages with priority levels from Emergency to Notice (level 0 to 5). The level may be inspected using:

syslog -c syslogd
For example, to save messages with priority level Error or less in the data store:
syslog -c syslog -e
Errors include:
Unable to determine syslog settings for pid nnn needs root for this process (goes to stdout)
nnn: multiple processes found \n use pid to identify a process uniquely
    Use > /bin/ps -e | grep nnnn
Returns 0 if process is not running!

configuration display

syslog -config

debug 0
dbtype file
db_file_max 25600000
db_memory_max 256
db_memory_str_max 1024000
mps_limit 0
bsd_max_dup_time 30
mark_time 0
utmp_ttl 31622400
memory_size 0
memory_max 10240000
stats_interval 600
work_queue_count 0
asl_queue_count 0
bsd_queue_count 0
client_count 50
disaster_occurred 0
watchers_active 0
asl_action enabled
bsd_in enabled
bsd_out enabled
klog_in enabled
udp_in enabled
remote disabled
modules: enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled disabled enabled enabled enabled disabled enabled enabled disabled enabled disabled disabled enabled enabled


syslog -module [name [enable 1|0] checkpoint [file]

with no name, outputs configuration for all ASL output modules
with name and no action, prints configuration for named ASL output module
supported actions - module name required, use '*' (with single quotes) for all modules:
˙ enables (or disables with 0) named module. does not apply to when '*' is used
˙ checkpoints all files or specified file for named module


syslog -stats [-n n] [-d path] [-v]

outputs usage statistics
-n n outputs stats for just the top n (e.g. top 10) senders
-d path reads the ASL database at the given path for statistics
-v verbose ([message_count total_data data_average] for 10 minute intervals)

 > /usr/bin/syslog -stats
sender: message_count (% of total) data_size
TOTAL: 36680 (100.00%) 20815221
logd: 8288 (22.65%) 2612376
trustd: 6526 (17.83%) 4065360
powerd: 3300 (9.02%) 2156544
diagnostics_agent: 2613 (7.14%) 1630512 2481 (6.78%) 1548144 


syslog [-f file...] [-d path...] [-x file] [-w [N]] [-F format] [-nocompress] [-u] [-sort key1 [key2]] [-nsort key1 [key2]] [-k key [[op] val]]... [-o -k key [[op] val]] ...]...
   -f     read named file[s], rather than standard log message store.
   -d     read all file in named directory path, rather than standard log message store.
   -x     export to named ASL format file, rather than printing
   -w     watch data store (^C to quit)
          prints the last N matching lines (default 10) before waiting
          "-w all" prints all matching lines before waiting
          "-w boot" prints all matching lines since last system boot before waiting
   -F     output format may be "std", "raw", "bsd", or "xml"
          format may also be a string containing variables of the form
          $Key or $(Key) - use the latter for non-whitespace delimited variables
   -T     timestamp format may be "sec" (seconds), "utc" (UTC), or "local" (local timezone)
   -E     text encoding may be "vis", "safe", or "none"
   -nodc  no duplicate message compression
   -u     print timestamps using UTC (equivalent to "-T utc")
   -sort  sort messages using value for specified key1 (secondary sort by key2 if provided)
   -nsort numeric sort messages using value for specified key1 (secondary sort by key2 if provided)
   -k     key/value match
          if no operator or value is given, checks for the existence of the key
          if no operator is given, default is "eq"
   -B     only process log messages since last system boot
   -C     alias for "-k Facility"
   -o     begins a new query
          queries are 'OR'ed together

Seems to be deprecated in leu of newsyslog used by Mac OS to maintain system log files to manageable sizes.


The System Log facility saves received messages, subject to filtering criteria described in the FILTERING CONTROLS section, Pruning is required to prevent unlimited growth of the data store.

The syslogd daemon will prune the data store after it starts. See syslogd(8).

-p must be followed by an expression, messages that match the expression are deleted.

A daily pruning operation should be started by cron specified for Mac OSX 10.4 in /etc/periodic/daily/500.daily.

# Delete all messages after 7 days (-k Time lt -7d)
# Delete Warning (Level 4) and above after 3 days (-k Time lt -3d -k Level ge 4)
# Delete Info (Level 6) and above after 1 day (-k Time lt -1d -k Level ge 6)
syslog -p  -k Time lt -7d  -o  -k Time lt -3d -k Level ge 4  -o  -k Time lt -1d -k Level ge 6
    LowPriorityIO: true
    Nice 1
    StartCalendarInterval:Minute 30 


logger, asl(AppleSystemLogger), syslog(3),
syslogd, aslmanager BalaBit syslog-ng (new generation) filters not only facility.level, txt | database, TCP|UDP
Simple log watcher takes action on matching event.
Apple System Log server (ASL) deamon Mac OS X October 18, 2004

From /System/Library/LaunchDaemons reformatted by ed

/System/Library/LaunchDaemons > plutil  -p
  JetsamProperties  { JetsamPriority  -49 JetsamMemoryLimit  300 }
  EnvironmentVariables  { ASL_DISABLE  1 }
  MachServices  { ; { ResetAtClose  1 } }
  EnableTransactions  1
  ProgramArguments  [ 0  /usr/sbin/syslogd ]
  Sockets ; { AppleSystemLogger  { SockPathName  /var/run/asl_input SockPathMode  438 }
               BSDSystemLogger   { SockPathName  /var/run/syslog SockType  dgram SockPathMode  438 }
  HopefullyExitsLast => 1
  OnDemand => 0

log displayer

macOS Sierra (10.12) introduced a new logging mechanism called Unified Logging. The developer reference document states that the same mechanism will be used for iOS 10, tvOS 10, and watchOS 3 as well.

unified logs will take the places of Apple System Logs as well as Syslog which is what rely on quite heavily for log analysis on 10.11 and older systems. As of 10.12.1, these logs still exist in /var/log

The unified logs are stored in two directories: /var/db/diagnostics/

/var/db/diagnostics/ contains log files named with a timestamp filename following the pattern logdata.Persistent.YYYYMMDDTHHMMSS.tracev3. binary files. Other files including additional log *.tracev3 files and others that contain logging metadata.

/var/db/uuidtext/ contains files that are references to tracev3 log files.

log collects, removs, configurs, and reviews logs data. The new ‘Console’ application can be used to view logs in real-time (volatile logs)

log collect collects records from a certain timeframe, log size, or type into a *.logarchive archive bundle. *.logarchive files can be imported into the Console application.

log show parses binary logs either from a specific *.tracev3 file(s) or from a *.logarchive bundle . A user can filter on different predicates filters or time frames.

Apple Developer

Made true HTML and terse by Dennis German