Max OS X version


syslog -s message

Sends and views messages of the system's log message data store

-ssend a message. Also done by logger

-r host remote syslog server
-l level set the log level (priority) of the message 1-7 or A, alert
    Emergency (0)       note counter-intuitive Emergency has a level less than Debug.
    Alert      (1)
    Critical   (2)       
    Error     (3)
    Warning    (4)       
    Notice     (5)       
    Info       (6)     
    Debug      (7) 
Accepts one or two leading characters for a level specification.
Use Em for Emergency and Er for Error.


syslog -s -l Er "Cannot mount /dev/disk0s14"
produces entry:(as displayed by kiwi )
2012-03-30 21:33:24 Kernel.Emerg smackerPro.germans syslog[71032]:Cannot mount /dev/disk0s14
syslog -s -r -l Em -k Facility eq mail "sent trhough LAN -l Em"
produces entry:(as displayed by kiwi )
O2012-03-30 21:51:12 Local7.Debug smackerPro.germans 107 [Sender syslog] [Level 0] [Facility eq] [mail sent trhough LAN -l Em] [Time 1333158663] [Host smackerPro]<000>

-k key val
  [key val] …
structured message will be sent with keys and values as arguments.
A key or value with embedded white space must be enclosed in quotes.

Reading messages

syslog [-w] [-F format] [-u] expression

syslog -w displays last 36 messages and waits for new messages, ( similar to watching a log file using: tail -f /var/log/system.log

With no arguments, syslog displays all the messages in the data store with level < INFO.
note counter-intuitive Error has a level less than info.
(i.e. notices, warnings, errors, criticals, alerts and emergencies ).

-u UTC is used to display time stamps

-F format
  • std Standard (default) format. simlar to bsd, includes the message priority level
    Sat Jul 10 18:29:24 smackerpro login[20636] <Notice>: USER_PROCESS: 20636 ttys006
    Sat Jul 10 18:41:17 smackerpro Activity Monitor[209] 
            <Error>: kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface
    Sat Jul 10 18:41:17 smackerpro \[0x0-0xa00a\][209] 
            <Notice>: Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\] <Error>: 
        kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface
  • bsd Format used by the syslogd daemon for system log files, e.g. /var/log/system.log.
  • raw Prints the complete message structure.
    Each key/value pair is enclosed in square brackets. Embedded closing brackets and white space are escaped.
    Time stamps are printed using UTC.

    [Time 1278800964] [Host smackerpro] [Sender login] [PID 20636] [UID 0] [GID 20] [Level 5]
     [Message USER_PROCESS: 20636 ttys006]
     [ASLMessageID 283631] [TimeNanoSec 683290000] [Facility]
     [ut_user dgerman] [ut_id s006] [ut_line ttys006] [ut_pid 20636] [ut_type 7] [ut_tv.tv_sec 1278800964] [ut_tv.tv_usec 682818]
     [ASLExpireTime 1310423364]
    [Time 1278801677] [Host smackerpro] [Sender Activity Monitor] [PID 209] [UID 501] [GID 20] [Level 3]
      [Message kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface]
     [ASLMessageID 283632] [TimeNanoSec 350398000] [Facility]
    [Time 1278801677] [Host smackerpro] [Sender \[0x0-0xa00a\]] [PID 209] [UID 501] [GID 20] [Level 5]
      [Message Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\] : kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface]
     [ASLMessageID 283633] [TimeNanoSec 363177000] [ReadUID 501] [Facility] [Session Aqua]

Custom format strings may include variables of the form $Name (or $(Name) if the key is not delimited by whitespace) For example:

syslog -F '$Time $Host $(Sender)[$(PID)]: $Message'

produces output :

 May 26 01:43:51 smacker Software Update[19720]: __choice_su_visible returned wrong type (())
 May 26 14:56:10 localhost mDNSResponder-108.5 (May  9 2007 15[-1]: 08:01)[63]: starting
 May 26 14:56:18 localhost DirectoryService[80]: Launched version 2.1 (v353.6)
 May 26 14:56:22 localhost mDNSResponder[-1]: Adding browse domain local.
 May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003
 May 26 14:56:22 localhost configd[67]: initCardWithStoredPrefs failed.
 May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003 

-w an expression may be specified using -k and -o .

  • -k key message has the specified key, regardless of value.
  • -k key value message has exactly the specified value for the key.
  • -k key operator value


Specify matching criteria to filter for messages of interest.

A simple expression is a list of one or more key/value pairs.

keys include: Time Sender Facility Level Host Pid Message (Case sensitive, i.e. sender does not work!)
operators include:
eq  equal gt greater than lt less than
ne not equal    ge  greater than or equal to   le  less than or equal
 The operator may be preceded by:
A prefix S substring Z suffix
C case-fold
R regular expression (see regex(3))

N numeric comparison Neq, Nne, Ngt, Nle …

For example, to find messages send by portmap :

syslog -k Sender portmap
Messages containing could not:
syslog -k Message Seq "Could not"

Multiple simple expressions match a message if all of the key-value operations match, i.e. AND of all of key-value operations.

 syslog -k Sender      -k Level eq Emergency

-o separates simple expressions and provides an OR operation.

To find all messages which have either a Sender portmap or that have a numeric priority level of 4 or less:

syslog -k Sender portmap    -o    -k Level Nle 4
For matching time stamps: An negative integer is the number of seconds before the current time.
To find all messages of priority level 3 (error) or greater which were logged in the last 5 minutes ( 300 seconds):
syslog -k Level Ngt 3 -k Time ge -300
a relative time value may be optionally followed by s, m, h, d, or w to specify seconds, minutes, hours, days, or weeks. week is 7 complete days (i.e. 604800 seconds) i.e. not since Sunday.
An unsigned integer value is the number of seconds since epoch (i.e. 00:00:00 , January 1, 1970, Coordinated Universal Time.

Filtering Controls

-c process [filter] Filter Controls:
-help Clients of the "System Log Facility" (using either the asl or syslog interfaces) may specify a log filter mask which specifies which messages should be sent to syslogd, a yes/no for each priority level.

-c controls filtering.

In addition to the client filter there is a global master filter which is off by default.
A value is set for the master filter, overrides the local filter for all processes. Root is required to set the master filter .

To display the setting of the master filter mask:

syslog -c 0
Master filter mask: Off
The value of the master filter mask is set by providing a second argument following -c 0.
p Panic(Emergency) , a Alert, c Critical, E or x Error, w Warning, n Notice, i Info, and dDebug.
The master filter may be unset with:
syslog -c 0 off
preceded by a minus sign starting at level 0 (Emergency) up to the given level.
To disable Debug and Info messages ,
To set the master filter level to cause all processes to log messages from Emergency up to Debug:
syslog -c 0 -d
The master filter level is used to control the messages produced by all processes.

Another filter mask is specified for an individual process. If a per-process filter mask is set, it overrides both the local filter mask and the master filter mask. The current setting for a per-process filter mask is inspected using -c process, where process is either a PID or the name of a process. If a name is used, it must uniquely identify a process. To set a per-process filter mask, an second argument may be supplied following -c process as described above for the master filter mask. Root access is required to set the per-process fil ter mask for system (UID 0) processes.

The filtering described above takes place in the client library to determine which messages are sent to the syslogd daemon. The daemon also contains a filter which determines which messages are saved in the data store.

The default data store filter mask saves messages with priority levels from Emergency to Notice (level 0 to 5). The level may be inspected using:

syslog -c syslogd
To set the data store filter mask, a second argument is supplied following -c syslog as described above. For example, to save messages with priority level Error or less in the data store:
syslog -c syslog -e

seems to be deprecated (DGG)


The System Log facility saves received messages, subject to filtering criteria described in the FILTERING CONTROLS section, Pruning is required to prevent unlimited growth of the data store.

The syslogd daemon will prune the data store after it starts. See syslogd(8).

-p must be followed by an expression, messages that match the expression are deleted.

A daily pruning operation should be started by cron specified for Mac OSX 10.4 in /etc/periodic/daily/500.daily.

# Delete all messages after 7 days (-k Time lt -7d)
# Delete Warning (Level 4) and above after 3 days (-k Time lt -3d -k Level ge 4)
# Delete Info (Level 6) and above after 1 day (-k Time lt -1d -k Level ge 6)
syslog -p  -k Time lt -7d  -o  -k Time lt -3d -k Level ge 4  -o  -k Time lt -1d -k Level ge 6
See newsyslog
See newsyslog used by OSX mopuntain lion to maintain system log files to manageable sizes.
logger, asl(AppleSystemLogger), syslog(3),
syslogd, aslmanager BalaBit syslog-ng (new generation) filters not only facility.level, txt | database, TCP|UDP
Simple log watcher takes action on matching event.
Apple System Log server (ASL) deamon Mac OS X October 18, 2004

From /System/Library/LaunchDaemons 5/20/13

    LowPriorityIO: true
    Nice 1
    StartCalendarInterval:Minute 30

reformatted by ed
/System/Library/LaunchDaemons > plutil  -p
  Label =>
  JetsamProperties => { JetsamPriority => -49 JetsamMemoryLimit => 300 }
  EnvironmentVariables => { ASL_DISABLE => 1 }
  MachServices => { => { ResetAtClose => 1 } }
  EnableTransactions => 1
  ProgramArguments => [ 0 => /usr/sbin/syslogd ]
  Sockets => { AppleSystemLogger => { SockPathName => /var/run/asl_input SockPathMode => 438 }
               BSDSystemLogger   => { SockPathName => /var/run/syslog SockType => dgram SockPathMode => 438 }
  HopefullyExitsLast => 1
  OnDemand => 0

Made true HTML and terse by Dennis German