When do you need to read the log?

The macOS log underwent major change in Sierra. Although the replacement Unified log isn’t easy for users, it contains a great deal of information that isn’t available anywhere else. A recent claim that “no one should ever, ever look at” the log would deprive users, developers and researchers of that information. This article reviews some of what you’d be missing without looking in the log, and how you can access it without using the Console app.

Time Machine

Log entries enable you to check that backups are being made regularly, snapshots are being deleted correctly, and old backups are being thinned. Time Machine’s GUI only tells you when the last backup was completed. Although it does report some errors, many are only written to the log.

When backups are taking a long time to complete, only their log entries can help you identify what’s taking the time, and guide you as to what you might add to the exclusion list to accelerate them.

Tools: T2M2 is a dedicated analysis tool that also gives full access to log entries; also available in Mints.

Spotlight

Failure to index a volume for Spotlight’s indexing isn’t normally reported to the user in the GUI but can be discovered in the log, as can individual problems encountered by mdworker when trying to index individual files. Without that information, whole volumes can be lost from Spotlight search.

Tools: Mints gives access to testing and log entries.

iCloud

iCloud, both in CloudKit and iCloud Drive, is particularly opaque, and seldom reports any actionable errors to the user in the GUI. Apple also recommends developers of apps using iCloud to learn how to extract information about their app from the log. In general use, entries in the log are valuable for identifying stuck syncing and for developing strategies to address it.

Tools: Cirrus gives access to iCloud Drive testing and log entries; Mints provides general log entries too.

XProtect Remediator

This relatively new malware scanner only reports its scans and their results to the log in Catalina to Monterey; in Ventura and Sonoma results are also available as Endpoint Security events, making them accessible in some third-party security software. Those are the only way of checking whether its scans are taking place, and of inspecting its reports of detections and remediations.

Tools: XProCheck is dedicated to this; Mints also gives general log entries.

Trimming external SSDs

If you can find it in System Information, you should be able to check whether macOS supports Trimming an external SSD. However, there’s only one way to verify that it does happen, and that’s by checking in the log when its volume(s) are being mounted.

Tools: Mints provides the required log extract, and has instructions on to how to use it.

Scheduling background tasks

Hundreds of important background tasks are managed and dispatched by the DAS-CTS sub-systems. The only way to verify that they are working correctly, and to discover the cause of a background task not being run, is by checking in the log.

Tools: Mints provides a custom log browser for this purpose.

Boot times

System Information can tell you when your Mac last started up, but the only way to discover the times of all its startups over the last 24 hours or more is in the log.

Tools: Mints has a custom tool for this.

Software Updates

System Information can tell you which Apple updates have been installed, but provides no way to discover why an update that should be available hasn’t been downloaded and installed correctly. The only way to discover that is from the log.

Tools: Ulbow, as a general log browser.

App Store problems

Sometimes, updates from the App Store become stuck, and aren’t installed. The causes for this can only be discovered in the log.

Tools: Mints has a custom log browser for this.

The Log itself

Occasionally, the log system in Macs doesn’t work properly, or fails completely. More commonly, so many entries are made to it that the period of retention of entries is too short to be of much benefit. These problems can only be discovered and fixed using the log, of course.

Tools: Mints and Ulbow both provide tools to assist.

Panic logs

Although not part of the Unified log, there’s one other type of log that’s essential reading in macOS: the Panic Log, displayed after a Mac starts up following a kernel panic. The Panic Log is almost invariably the only way to discover the cause of a kernel panic, thus to work out what to do to prevent further panics.

Conclusions

I fully appreciate that consulting the log isn’t something that’s likely to be worthwhile for most ordinary users, although utilities such as T2M2 and XProCheck are intended to make its entries widely accessible and comprehensible. However, with the aid of utilities like Mints, accessing the log should be within the grasp of many advanced users, and an essential tool for all those who support Macs. Or maybe these examples are just rare exceptions to the rule that “no one should ever, ever look at” the log?

Links

T2M2, XProCheck, Mints, Ulbow, Cirrus