Determining/associating the log subsystem for apps installed via package managers

I've watched this highly informative talk on the unified logs and been reading whatever documentation or blog posts I can find on the subject, but I haven't found or don't understand how to link an app (for example, an SSHD server) that has been installed via, say Macports or pkgsrc, to a subsystem.

Is it something the developer has to specify within the code? I use launchctl plists quite often, is it something I can add there? (the man page has nothing on it, same goes for the log man page)

If I list the files in /System/Library/Preferences/Logging/Subsystems/ and /Library/Preferences/Logging/Subsystems/ there's a lot of plists that Apple call "logging profiles". The /Library/… one has com.openssh.sshd.plist with these contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DEFAULT-OPTIONS</key>
    <dict>
        <key>Level</key>
        <dict>
            <key>Enable</key>
            <string>default</string>
        </dict>
    </dict>
</dict>
</plist>

I can't see if this applies to:

  • only the SSHD supplied by Apple in /usr/sbin/sshd
  • any SSHD run on the machine
  • the sshd entry in /etc/services
  • something else…

Perhaps I can write a logging profile and place it in there for apps I install? Are apps automatically placed in subsystems because of system resources they ask for? I'm just not sure.

Sorry if the question is confusing, it's because I'm confused! Any help or insight given will be much appreciated.

Note: The system I'm currently on is 10.14 but I'm asking in a general way as I know the unified logs came in after 10.10 and (as the talk points out) there are slight differences even between OS minor versions.


The subject here are the configuration files for Apple's Unified Logging system - in particular for subsystems.

Yes, the subsystem is something the developer can specify in their code. A developer that uses Unified Logging on macOS commonly do so by calling into the OSLog class on macOS 10.x, or the Logger class on macOS 11.x. When initialising an instance of the class, the developer can provide the subsystem as a string - which is recommended to be in the reverse DNS notation (i.e. com.openssh.sshd for example).

The developer is free to create multiple subsystems for various parts of the program, so you could in theory have "com.openssh.sshd.authentication" and "com.openssh.sshd.network" subsystems.

The developer can also choose not to specify a subsystem at all - and just log something. This is typically what happens with developers that did not take Unified Logging into account. In that case macOS supplies a default subsystem name - in general this is the bundle identifier for the app.