peeling back the bark > @chilcote - join us july...
TRANSCRIPT
peeling back the bark
> @chilcote
Legacy
Apple System Logger (asl)Unix (syslog)
Audit logs (BSM)
NOTE: Most system logs have moved to a new logging system. See log(1) for more
information.
> syslog manpage
Unified Logging
Cross-deviceBinary format
Volatile
brevity
vs
verbosityverbosityverbosityverbosityverbosityverbosityverbosity
All you have to do is write one true sentence. Write the truest sentence that you know.
> Ernest Hemingway
"For sale: baby shoes, never worn."
> Ernest Hemingway
"Wait," he said, staring. "You're me.""
> Don't judge; I got free tickets
I've put in so many enigmas and puzzles that it will keep the professors busy for centuries
arguing over what I meant, and that's the only way of insuring one's immortality.
> James Joyce
I have eaten the plums that were in the icebox
> brevity
We few, we happy few, we band of brothers;For he to-day that sheds his blood with me
Shall be my brother; be he ne'er so vile,This day shall gentle his condition
> verbosity
More is better, really
> Apple Technote tn2347
single, efficient, performant API
> Apple Dev Site
Log levels
Types of messagespersistence
Configuration Profiles
Log level: default
Potential FailuresMemory buffer
Data storePurged
Log level: info
Non-essentialMemory buffer
Faults saved to Data StorePurged
Log level: debug
Dev onlyMemory Buffer
Configuration changePurged
Log level: error
Process-level errorsNot buffered
Data StorePurged
Log level: Fault
System-level errorsMulti-process errors
Data StorePurged
Data Store
tracev3 (compressed binary) formatted /var/db/diagnostics
/var/db/uuidtext
Legacy APIsNSLogsyslog
asl_log_message
New APIsos_log
os_log_infoos_log_debugos_log_faultos_log_create
Log FormatTimestamp Thread Type Activity PID 2017-07-14 09:25:00.177592-0700 0bn0X Fault 0x8005428c 343 macadminsd: (PSUMacAdmins) [com.psumac.pay.attention] [ERROR] get off of twitter
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
Log Format2017-07-14 09:25:00.177592-0700 \ # Timestamp 0bn0X \ # Thread Fault \ # Type 0x8005428c \ # Activity 343 \ # PID macadminsd: \ # Process Name (PSUMacAdmins) \ # Library [com.psumac.pay.attention] \ # Subsystem & Category [ERROR] get off of twitter # Message
signal
vs
noise noise noise noise noisenoise noise noise noise noise noise
noise noise noise noise noise noise noisenoise noise noise noise noise noise
noise noise noise noise noise noise noisenoise noise noise noise noise noise
noise noise noise noise noise
$ logusage: log <command>
global options: -?, --help -q, --quiet -v, --verbose
examples: log show log collect log erase --all log help stream
commands: collect, config, erase, show, stream
further help: log help <command>
$ logusage: log <command>
global options: -?, --help -q, --quiet -v, --verbose
examples: log show log collect log erase --all log help stream
commands: collect, config, erase, show, stream
further help: log help <command>
log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'
log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'
log show --predicate 'eventMessage contains "shutdown"' \ --style syslog \ --info \ --last 12hlog show --predicate 'eventMessage contains "shutdown"' \ --style json \ --debug \ --last 7dlog show --predicate 'subsystem == "com.apple.Finder"' \ --info \ --start '2017-06-05 06:00:00' \ --end '2017-06-05 06:59:00'
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
log show --predicate examples: --predicate 'eventMessage contains "my message"' --predicate 'eventType == logEvent and messageType == info' --predicate 'processImagePath endswith "d"' --predicate 'not processImagePath contains[c] "some spammer"' --predicate 'processID < 100' --predicate 'senderImagePath beginswith "my sender"' --predicate 'eventType == logEvent \ and subsystem contains "com.example.my_subsystem"'
log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default
log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default
log stream --style json \ --process "Finder" \ --type log \ --level infolog stream --style json \ --process "Finder" \ --type log \ --level debug --timeout 1hlog stream --style syslog \ --process "Finder" \ --type activity \ --level default
log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m
log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m
log collect --output ./foo.logarchive \ --start "2017-07-06 11:00:00" \log collect --output /tmp/foo.logarchive \ --last 24h \ --size 50klog collect --last 3d \ --size 200m
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 \ --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
log config --statuslog config --mode "private_data:on"log config --resetlog config --mode "level:debug"log config --process=999 --mode="persist:info,propagate:off"log config --subsystem com.example.my_subsystemlog config --category example_category
log erase --alllog erase --ttl
log erase --alllog erase --ttl
Console.app
INTERMISSION
steagles
> 1943
Writing logs
Writing logs
Logic and branchingUnique and easy to find text patterns
Variable and property valuesWho is being called?
Log a backtrace of your stack!
Writing logs
Don't litter the logsAnnotate high-frequency logs for filtering
Generate context-specific sysdiagnosesSpecify user-concerning issues
> Daniel Jalkut
logger -is -t foo "Hello PSU"log show --predicate \ 'eventMessage contains "Hello PSU"' \ --last 5m
logger -is -t foo "Hello PSU"log show --predicate \ 'eventMessage contains "Hello PSU"' \ --last 5m
>>> from Foundation import NSLog>>> NSLog("Hello PSU")2017-07-08 16:21:53.917 Python[3233:179310] Hello PSU
log stream --predicate 'eventMessage contains "Hello PSU"' --infoFiltering the log data using "eventMessage CONTAINS "Hello PSU""Timestamp Thread Type Activity PID 2017-07-08 16:21:53.917539-0700 0x2bc6e Default 0x0 3233 Python: (libffi.dylib) Hello PSU
log stream --predicate 'eventMessage contains "Hello PSU"' --infoFiltering the log data using "eventMessage CONTAINS "Hello PSU""Timestamp Thread Type Activity PID 2017-07-08 16:21:53.917539-0700 0x2bc6e Default 0x0 3233 Python: (libffi.dylib) Hello PSU
More is better, really
Examples
log show --debug \ --predicate \ 'process == "EmbeddedOSInstallService"'
log stream --info \ --debug \ --predicate \ 'processImagePath contains "cloudconfig"'
log show --predicate \ 'eventMessage contains "Previous shutdown cause"' \ --last 24h
log show --predicate \ 'eventMessage contains "ECDebug"' \ --last 10m
log stream --style syslog \ --process "Imagr" \ --type log
log show \ --predicate 'eventMessage contains "BOOT_TIME"' \ --style json \ --info
log show \ --predicate 'eventMessage contains "System Wake"' \ --style json \ --info
<key>com.apple.SCEP</key><dict> <key>DEFAULT-OPTIONS</key> <dict> <key>Default-Privacy-Setting</key> <string>Public</string> <key>Level</key> <dict> <key>Enable</key> <string>debug</string> <key>Persist</key> <string>debug</string> </dict> </dict></dict>
Thank you
> @chilcote
Referenceshttps://developer.apple.com/reference/os/logginghttps://developer.apple.com/videos/play/wwdc2016/721/http://asciiwwdc.com/2016/sessions/721https://developer.apple.com/bug-reporting/profiles-and-logs/?platform=macoshttps://developer.apple.com/library/content/technotes/tn2347/_index.htmlhttps://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.htmlhttps://eclecticlight.co/2016/09/29/welcome-to-macos-sierras-new-console-its-buried-in-terminalhttps://eclecticlight.co/2016/09/23/sierras-console-promising-but-incomplete/https://eclecticlight.co/2016/10/01/using-the-logs-in-sierra-some-practical-tips/http://krypted.com/mac-os-x/log-logs-logger/http://krypted.com/mac-os-x/macos-logging-subsystems-gist/https://gist.github.com/krypted/495e48a995b2c08d25dc4f67358d1983http://www.amsys.co.uk/2017/01/state-of-logging/http://www.modtitan.com/2017/04/finding-shutdown-causes-in-macos.htmlhttps://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logginghttp://blog.eriknicolasgomez.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/https://github.com/grahamgilbert/imagr/wiki/Troubleshootinghttp://bitsplitting.org/2016/10/26/log-littering/https://mosen.github.io/profiledocs/payloads/logging.html