It’s increasingly clear that most advanced Mac users, consultants, system administrators, and developers lack one essential skill: being able to read the log, log literacy.
In the last couple of weeks, as arguments have raged over whether Apple checks the content of your images, I’ve seen evidence from software firewalls, sniffed network packets, even disassembled code, but no one other than myself appears to have read the log. People have reported problems with the 13.2 update, with TCC databases, and all manner of other aspect of macOS, but no one appears to have checked their log before trying out time-consuming and potentially destructive solutions.
As with so much else in macOS, the only place you’re likely to find that crucial diagnostic information is the log. That’s why, whenever you report a bug or serious problem to Apple, you’re asked to run a sysdiagnose, as, in addition to a lot of other information, it contains an extract taken from that Mac’s log. Apple’s engineers then use that to work out what went wrong, as they are log literate.
The two main barriers to log literacy are tools and the sheer quantity of entries in the log. If you think you’ve just got the choice between the bundled and largely impotent Console app and the log show command, then you should try my free log browser Ulbow. Over the coming weeks, I’ll be showing you how you can use it to make log access convenient, and how to cope with the volume of log entries.
Demonstration
Download the current version of Ulbow from here. It comes in a Zip archive: unZip it, and move the Ulbow app into your Applications folder, or another folder where you want to run it from. Alongside it is a copy of its PDF Help book. Ulbow already contains an internal copy, so you can read that at your leisure without having to open the app.
Ensure that you’re logged on as an admin user. To obtain log extracts, Ulbow uses the log show command, which only returns successful results for admin users.
Then choose an event you want to view in the log. For a first look, I suggest opening a simple app like TextEdit from the Dock or Finder. Don’t get overambitious at this stage: keep it basic at first. Watch the clock seconds on your Mac, and when they just change to a convenient time like 00, open that app either by double-clicking it in the Finder, or clicking it in the Dock. Try to make your clicks a fraction of a second after the clock changes to 00 seconds. Then wait at least ten seconds before quitting the app. Note the time that you opened the app, for the sake of this example 15:28:00.
Now open Ulbow, which opens a new browser document window. Before setting that up, open its View menu and check that it looks like this.
The most important of these for the moment is Limit entries shown. That ensures that, no matter how many log entries might result from getting a log extract, you won’t be saddled with trying to scroll through hundreds of thousands of them. By default, they’re limited to around a thousand, which is normally quite enough to be going on with.
Now set the controls up in the window. First set the relative to date and time. When you first open a window, they’re set to the date and time of opening that window, the same as you’d get if you had clicked immediately on its Now button. To adjust the time, select the seconds or minutes as necessary and use the stepper control to the right to adjust them until that time matches when you opened the app, here 15:28:00.
Now decide on the period of log excerpt you want to view, and set that in Period to the left. Here I’ve gone for just 5 seconds, which is ample. Finally, pick a style to use to display log entries using the popup at the top right. I suggest regular should do nicely here. Then click the Get log button.
Browsing the log
Once the log entries are displayed, two figures between the Now and Get log buttons are updated. The first, in parentheses, is the total number of log entries obtained, and the second is the number displayed in the window below. This is why it’s worth limiting the number of log entries shown: in that 5 second period, there were a total of 44,340 entries!
The regular style being used here is good for general use, and uses colour to advantage. Reading from the left, each entry contains:
- the time in red,
- the message type (Default, Info, Error, etc.) in green,
- process IDs of receiver and sender in blue,
- subsystem in red,
- then the message in black.
Some messages may lack some of those fields, but when you enlarge the window to allow most entries to fit on single lines, they should be easier to read.
You could just start browsing those entries, but you’re most interested in the launch of the app. To locate that, click in the view containing the log entries, then use the Edit/Find/Find… menu command to open a Find window. Enter the name of the app and click on the Next button.
You can use Find’s Next button to hunt for further log entries containing the app’s name, or start scrolling down from its first mention.
In older versions of macOS, and when launching third-party apps, you might see many LaunchServices entries next. As TextEdit is a bundled app on the SSV, much of what follows is handled by Running Board, as seen in long volleys of log entries from com.apple.runningboard, and frequent acquiring of assertions, which is what Running Board handles.
A little way down, you should see app launch proper, here as a spawning. More recent versions of macOS also use complex subsystem naming: previously, this would have just used com.apple.TextEdit, but now adds information that it’s a GUI app owned by user 501 and more.
A little later you’ll see the app set itself up, here requesting its sandbox, and that being granted.
Going further
If there are relatively few log entries in the extract, you can turn off the limit to entries shown in the View menu. You can also adjust it in Ulbow’s Settings, where the figure is at the bottom left of the window. You can also adjust the period, although in older versions of macOS periods of less than about 5 seconds don’t work too well.
This introductory demonstration has shown how you can obtain and browse log entries following an event that took place at a known time. You can use the same principles and controls to examine any other event for which you have an accurate time. In future articles, I will extend this, and introduce more of Ulbow’s many features, including the use of predicates to limit the entries obtained.