The Apple System Log – Part 2 – Console.app

By: Sarah Edwards

Compatibility Note: This article was written using Console.app on 10.6 – 10.7 changes slightly but still contains the functionality contained in this article (actually more, check out the Message Inspector!)

Part 1 showed us how to view the Apple System Log using the command line. For some, the command line can be a challenge; fortunately there is more than one way to view these files. We can use the Apple’s native log viewer application Console.app, to easily view, search and filter these files without using complicated command-line tools or scripts.

The Console application (Figure 1) can be found in the /Applications/Utilities directory.

Figure 1 - Console.app

The Console application can be used to view most, if not all the logs you’ll find on a Mac system. You may even find that you’ll be using this application for viewing Windows and Linux logs!

The “Log List” sidebar gives access to many of the Mac system logs, including the Apple System Log as “All Messages”. The messages seen here are similar to those generated by the syslog command.

The columns at the top of the window can be changed by right/control clicking on the column bar shown in Figure 2. It should be noted that not all contents of each entry is available for viewing. For example, you cannot see the PID, UID, or GID data. (Don’t know what I’m talking about? See Part 1.) This menu can also be accessed via the View | Columns menu items.

Figure 2 - Change columns using right or control click.

Search & Filter

Filters:
The filter box shown in the top right corner of the GUI allows us to search a keyword to filter the results. For example, I executed a search for “_PROCESS”, the results for my logs are shown in Figure 3. For this example I started opening and closing my Terminal program and SSH‘ed into my system. User logins could be their own blog entry, so I will save that for another day, but suffice to say that a USER_PROCESS is the login and the DEAD_PROCESS is a logoff. Each can be paired with their associated PID number.

Figure 3 - Search for "_PROCESS" Example

“Find” Searches:
Searches may also be done selecting the Edit | Find menu option. This will open an additional toolbar that can be used to search the log, but not filter it. All the entries can be viewed, not just those that match the search term.

Database Searches:
A more complex search may be completed by selecting the File | New Database Search menu option. This will open a new dialog box. As shown in Figure 4, you can create a customized filter. This example shows searches for entries where the “Sender” is sshd, and contains “_PROCESS” in the message field. This will create a new “view” on the right side of the Console application.

Figure 4 - New Database Search

Need more detail?

The log entries in “All Messages” do not necessarily contain all of the data you might be looking for. It can be easy to overlook a crucial piece of data if the logs are not viewed in their full, raw format.

Let’s create a syslog file with the data that is not represented in the “All Messages” view. Using the following command introduced in Part 1, we can dump more detailed syslog information to a file. The output file can be opened using the Console application and can be searched and filtered. The only difference is that there is more data available, which is in square brackets. Notice the field labeled ut_user, this field contains the user account that was logged in. This information was unavailable in the default “All Messages” format.

syslog -d /private/var/log/asl -T utc -F raw > file.out

What are you looking for?

As you have seen, user account login information is easily found, but what else might you find in these logs. Try the following search terms:

“Allow sshd” – SSH connections allowed through the firewall.
“Installed “ “ – Recently installed applications.
“su[“ or “sudo[ “ – Use of the su and sudo commands.
“MAC AUTH” – MAC address of connected access point (Authentication attempted or succeeded.)

I hope this introduction to the Console application will give those a new outlook on performing quick log analysis on a Mac. You don’t need to have expert knowledge of the command line, grep or scripting abilities to conduct a triage analysis.