Apple Tips

OSX  Log  Files

                 Previous                        Home                        Contact                           Next

 

               Previous                           Home                              Contact                                  Next

Your Mac contains numerous log files, with all sorts of information, sent by various system processes and applications.  Most of it seems rather cryptic, meant for developers and others trying to diagnose problems, and many Mac users never have a reason to look at them.  But they can be very useful to help diagnose a problem.

This is a general overview, with some detail on selected topics.

They can be seen in a couple of ways, depending on your purpose.   It's usually best to do this while logged-on as an Admin user, as others don't have permission to read many of them.


  1. To view only the messages from Time Machine backups from the last few days, see  #A1.  Time Machine Buddy widget  (on the Time Machine - Troubleshooting site).

  2. To see the sizes of your logs, if you suspect a problem, use the Finder, per the green box.

  3. To locate and read your logs, use the Console application.  See the tan box for details.

  4. See the pink box for information about Crash (or Hang) logs, once you've found them.

Using the Console app (in your Applications/Utilities folder)


Use this app to locate and view your logs.

When it starts, click Show Log List in the toolbar (it will change to Hide Log List), then navigate in the sidebar that opens up.  There are any number of logs in various places (and, confusingly, in Snow Leopard, some are listed twice).

Open the various folders by clicking the small disclosure triangles in front of them.  If you open them all, you'll see a window with a sidebar something like this:


All Macs will have roughly the same structure of folders, and many of the same logs, but different versions of OSX will vary somewhat (the sample is from Snow Leopard), and there may be different logs & folders depending on what apps you have and use.

The logs outlined in green are in the logged-on user's <home folder>/Library/Logs folder.  To see a different user's logs, you must sign on with that user account (but note their crash logs may be duplicated in the upper section).

To view a particular log, just select it in the sidebar, unless it's shown in gray, meaning you don't have permission to read it.

Note the Diagnostic and CrashReporter folders (outlined in red).  There may be as many as four Diagnostic folders, some showing the same files.  Each crash log file is named with the name of the app or process that crashed, and the date.  And sometimes the same log is shown in 2 or 3 places. 

(On Leopard, there may be a HangReporter folder, where you'll find logs on processes that have stalled.  Those will be in the Diagnostic folder(s) on Snow Leopard.)

See the pink box below for details on crash logs.

Also note that the system.log is shown twice;  once towards the top, right under the FILES folder, and again towards the bottom, usually followed by some similar ones (outlined in blue). 

System.log is the current version;  the system.log.0.bz2, etc., files towards the bottom are the "archived" and compressed previous versions, usually one per day or so.

See the blue box below for help deciphering the contents.

The daily, weekly, and monthly periodic "Maintenance scripts," outlined in orange, are explained in OSX Maintenance Scripts.

 

Checking the SIZE of your logs.

Many of the log files are located in the /private/var/log folder, others in /Library/Logs, and others, mostly from user applications, are in each user's <home folder>/Library/Logs folder).

             

The /private folder is hidden (to keep us mere mortals from messing with things we shouldn't and damaging our systems).

To see these logs and their sizes, from a Finder window's menubar, select Go > Go to Folder.  A prompt will appear:  type  /var/log in the box.  To see the sizes, it's probably easiest to have the Finder in List view (select View > As List from the menubar).

That should produce a window roughly like this (the contents may vary, of course):


If the size column isn't shown, select View > Show View Options from the menubar, and check the size box.

If all the sizes aren't shown, select View > Show View Options from the menubar, and check the Calculate all sizes box towards the bottom.

Anything over 1 GB is an indication of a problem.  The most common are:

  1. The asl folder.  Click the disclosure triangle, and you should see a series of files named by date, plus a couple of others.  There should be dated files for the last week or so;  if there are many more, select the old ones and delete them (you'll have to enter your Admin password), then empty the trash.  That means your Mac's automatic maintenance isn't running.  See OSX Maintenance Scripts.  If there are a lot of files here, you may have the next problem, too:

  2. Your system.log and/or system.log.0.bz2, etc. files (the ones with bz2 suffixes are compressed).  You can safely delete any or all of them, but unless space is critical, try to leave the system.log file, at least temporarily, so you can examine it to determine what's wrong (if you do need to delete it, the system will create a new one almost immediately).  You can view the logs via the Console app, in the tan box below, or just double-click it to display it. See the blue box below for help deciphering the contents.

  3. These logs (and some others) are normally "rotated" (#7 deleted, the others incremented, the current system.log compressed into system.log.0.bz2, and a new system.log created) by the newsyslog process that runs at 12:30 am local time.  If your system.log covers many days, just leave your Mac awake at that hour occasionally so they'll get rotated.

  4. If you're comfortable with UNIX and Terminal:

  5. The schedule and handling can be altered.  See the MAN pages for newsyslog and newsyslog.conf.  Alterations may have to be re-done after OSX upgrades.

  6. You can rotate them immediately.  Copy and paste this after a Terminal prompt: 

  7. sudo newsyslog -F /var/log/system.log 

  8. (You'll be prompted for your Admin password, which won't be displayed.)

 

Examining the system.log(s)

Here's a sample system.log:


It looks like gibberish at first, but you'll see 5 parts to each message:

  1. The date and time of the message (in 24-hour mode).

  2. The Computer Name (usually); in this case, "JPsBigiMac."

  3. The name of the process or app that sent the message.  This may be a simple name (like iWeb and Safari towards the bottom), or a more complex one (like the Time Machine backup messages: com.apple.backupd.)

  4. The Process ID, a unique number, enclosed in square brackets and followed by a colon, like [16065]:.  (Note:  if you copy these to the Apple Forums, the square brackets will be treated as containing a URL link, and won't be displayed, and the number will appear in blue).

  5. The actual message.  Some of these are fairly self-explanatory, many aren't.

                     

If you're looking for something in particular, you can type in the search box at the top to limit the display to messages containing that character string.  Since the messages are in order by date & time, that can be helpful to "zero in" to a particular application.  As an example, note how the Time Machine backup messages (sent by the backupd process) are hard to read with all the other messages mixed in.

             

Application Installation or Removal problems

The most obvious problems are often the same message, or group of messages, repeated over and over. 

Things like "exited with code," "No such file or directory," and especially "Throttling respawn: will start in 10 seconds" often indicate something left over from an application that used an installer, and was only partially-installed or partially-removed.  Examine the sender name; it's probably an app that you recently installed or tried to remove.  In some cases, though, one app will also install another, "helper" app, with a different name, that you're unaware of.

The best way to correct this is to uninstall the app in question.  If you still have it, see if it has an "uninstall" option in it's installer, or a separate "uninstall" component.  You may have to reinstall the app to be able to uninstall it properly.

If not, there are some 3rd-party apps that attempt to delete any leftovers.  Some are:  AppZapper and CleanApp require payment, AppCleaner is donationware.

Or, you may be able to do it yourself.  Examine the following folders for "plist" files with the names in the messages: 

            /Library/LaunchAgents              

            /Library/LaunchDaemons

            <home folder>/Library/LaunchAgents (check each home folder)          

Note that you won't find those folders via Spotlight.  Just navigate to them, by opening the top-level Library folder (for the first two) or the Library folder in each home folder.  If you find suspect plist files there, note where they are and move them to your desktop.  Restart your Mac.  If the problems don't stop, move them back.  

            

Other problems

Any dire-sounding message, such as "failed," "exited with code," "exited abnormally," or "I/O error," is rarely good.  Unless it's self-explanatory, or covered above, search or browse the appropriate Apple Discussions forum.  If you can't find a thread about the message, post a new one and copy the message there.


Monitoring the log for a reproducible problem

If a problem is easily reproducible, one way to locate the messages is to open the system.log.  By default, it opens at the end. 

When you're ready to reproduce the problem, click the red Insert Marker icon in the toolbar (or select View > Insert Marker in the menubar).  That will mark your place so you can see what follows. 

Then reproduce the problem.  If it results in any messages, they'll be much easier to find.

 

Crash Logs       
                

These document apps or processes that have crashed, and sometimes those that have "hung."

The most
important part is the beginning, in the red circle.

It identifies the app or process that failed, the version of OSX, etc., and the Exception info.

If you're going to copy one of these to post in a thread for help, be sure to get this portion.



It may be helpful to get the section for the thread that crashed.





But please do NOT copy the Binary Images section!