macOS includes a powerful logging system that captures detailed information about system activities, application behavior, and security events. Understanding how to manage and analyze macOS logs is essential for troubleshooting issues, monitoring performance, and ensuring system security.
macOS primarily maintains three types of logs:
- System Logs – Record system-level events, such as hardware changes, network activities, and kernel events.
- Application Logs – Capture events related to installed applications.
- Security Logs – Track security-related activities, such as user authentication, permissions changes, and failed access attempts.
This guide covers how to access, configure, and analyze logs in macOS to optimize system management and troubleshooting.
Log & Configuration File Locations
Before getting into the details, it’s helpful to understand where macOS stores its logs:
| Log Type | Location |
|---|---|
| System Logs | /var/log/system.log |
| Application Logs | ~/Library/Logs/ and /Library/Logs/ |
| Security Logs | /var/log/asl/ and via the Unified Logging System |
| Kernel Logs | /var/log/kernel.log (Older macOS versions) |
With macOS 10.12 Sierra and later, Apple introduced the Unified Logging System, which consolidates logs into a single database managed by the log command.
Understanding macOS System Logs
What Are System Logs?
System logs capture events related to macOS system processes, kernel activities, network connections, and hardware changes. These logs are useful for:
- Diagnosing system crashes and hardware failures
- Monitoring system performance and network activity
- Troubleshooting kernel panics and boot issues
Accessing System Logs
To access system logs, you can use the Console app or the Terminal:
Method 1: Using the Console App
- Open the Console application (
Applications > Utilities > Console). - Click on System Reports or All Messages to browse system logs.
Method 2: Using Terminal
You can also use the log command to query system logs:
sudo log show --predicate 'eventMessage contains "error"' --info
Sample System Log Entry:
Timestamp: 2024-11-14 10:16:45.123
Category: system
Message: Error: Disk not ejected properly.
| Field | Description |
|---|---|
| Timestamp | Date and time of the event |
| Category | Log category (e.g., system, network, kernel) |
| Message | Description of the event |
Understanding macOS Application Logs
What Are Application Logs?
Application logs capture events generated by software applications installed on macOS. These logs are helpful for:
- Troubleshooting app crashes and freezes
- Monitoring application performance
- Debugging application errors
Accessing Application Logs
Application logs are stored in the following directories:
| Location | Description |
|---|---|
~/Library/Logs/ | User-specific application logs |
/Library/Logs/ | System-wide application logs |
/Applications/<AppName>/Logs/ | Application-specific logs (if available) |
Viewing Logs with the Console App
- Open Console.
- Select System Reports or User Reports to view application logs.
Viewing Logs in Terminal
To access application logs via Terminal, use the log command:
log show --predicate 'process == "Safari"' --info
Sample Application Log Entry:
Timestamp: 2024-11-14 11:20:05
Application: Safari
Message: Failed to load webpage: connection timeout.
| Field | Description |
|---|---|
| Timestamp | Date and time of the event |
| Application | Name of the application |
| Message | Description of the issue |
Understanding macOS Security Logs
What Are Security Logs?
Security logs track security-related events, such as user logins, password changes, and failed authentication attempts. These logs are crucial for:
- Auditing user activity
- Detecting unauthorized access attempts
- Monitoring system security
Accessing Security Logs
macOS uses the Unified Logging System for security logs, which can be queried using the log command:
sudo log show --predicate 'subsystem == "com.apple.security"' --info
Sample Security Log Entry:
Timestamp: 2024-11-14 12:45:30
Subsystem: com.apple.security
Message: User authentication successful for user 'admin'.
| Field | Description |
|---|---|
| Timestamp | Date and time of the event |
| Subsystem | Security-related subsystem |
| Message | Description of the security event |
Common Security Events
| Event | Description |
|---|---|
| Authentication Success | User successfully logged in |
| Authentication Failure | Failed login attempt |
| Password Change | User password was changed |
| File Access Denied | Unauthorized file access attempt |
Using the Unified Logging System in macOS
With macOS 10.12 Sierra and later, Apple introduced the Unified Logging System, which stores logs in a centralized database. You can use the log command to filter, query, and analyze logs:
View all logs:
log show --infoFilter logs by keyword:
log show --predicate 'eventMessage contains "error"' --infoView recent logs (last 1 hour):
log show --info --style syslog --last 1hExport logs to a file:
log show --predicate 'process == "Finder"' --info > ~/Desktop/finder_logs.txtConfiguring Log Retention and Size
The Unified Logging System automatically manages log rotation and retention based on system storage availability. However, you can use log commands to manage the logs if needed:
sudo log config --mode "system"
This sets the log level to system, which reduces the amount of data being logged.
Mastering macOS system logs is essential for effective system administration, troubleshooting, and security monitoring. By using the Console app and log command, you can gain deep insights into your macOS system’s performance, diagnose issues, and enhance overall security.
Use this guide to optimize your logging practices on macOS and improve your troubleshooting capabilities.