Unified Logs | macOS High Sierra

macos high-sierra logs

I have macOS unified logs from System A in .logarchive format. Any attempts to parse the .logarchive in System B using log show command provides following error:

bash-3.2#log show /tmp/unifiedlogsv2/unifiedlogs.logarchive
        ==========
    /private/tmp/unifiedlogsv2/unifiedlogs.logarchive
        ==========
    log: Archive format needs updating (to version 3), doing so will render the archive unreadable by older tools.
    Re-run log with --force if you want to allow this upgrade

When run with --force option, the following error is displayed:

bash-3.2# log show --force /tmp/unifiedlogsv2/unifiedlogs.logarchive|more
log: warning: The log archive contains partial or missing metadata
log: Could not open log archive: The log archive format is corrupt and cannot be read
==========
/private/tmp/unifiedlogsv2/unifiedlogs.logarchive
==========

The same logarchive opens fine in Console. My objective is to parse the logarchive using the log show command. Any suggestions how to do so?


Solution 1:

The man log page shows two switches, --file file and --archive archive. You will likely need to include one of them when working with archives from another system which didn't originate on the local system.

log show [--archive archive | --file file] [--predicate filter] [--source] [--style default | compact | json | syslog] [--color auto | always | none]
     [--start date/time] [--end date/time] [--[no-]info] [--[no-]debug] [--[no-]signpost] [--last time [m|h|d]] [--timezone local | timezone]

The man page goes on to detail those 2 switches like so:

    --archive archive
                     Display events stored in the given archive. The archive 
                     must be a valid log archive bundle with the suffix
                     .logarchive.

    --file file      Display events stored in the given .tracev3 file. In order 
                     to be decoded, the file must be contained within
                     a valid .logarchive bundle, or part of the system logs 
                     directory.

Example

Since you're working with .logarchive formatted files you likely want to use the --archive switch:

$ log show --archive /tmp/unifiedlogsv2/unifiedlogs.logarchive

Related

How to see all windows of an application within a space?
Prevent Microsoft Office applications to follow desktop (Spaces)
Can I script actions while screensaver is engaged and a USB device is attached?
List of all interfaces in my laptop
If a computer is under the shared header in Finder, can they access all the files on my computer?
Which APP should I use if I want to draw a workflow with mathematical expressions on Mac?
Is there a way to close all ports using iOS [closed]
What is Openport.app?
Able to open downloaded programs, but once closed need to download again
How to configure iOS 12 sharesheet to add WhatsApp Messaging?
How to tell the mode (Transparency, noise cancellation or none) of airpod pro when it connects to the Apple TV?
is there a way to delete all the photos shared to my iPad from my iPhone (done through iCloud), but keep all my original iPad photos?