macOS System Log Analysis Β· Unified Logging

Mac System Log Forensics: Unified Log, ASL, and syslog Analysis

Independent forensic analysis of macOS Unified Logs (.tracev3), Apple System Log (ASL), and legacy syslog. We reconstruct authentication events, service activity, remote access, kernel and security subsystem behavior, and detect evidence of log tampering.

← Canonical HubThis page is part of the Mac Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Mac System Log Forensics is the structured examination of macOS logging subsystems. Since macOS 10.12 (Sierra), Apple has used the Unified Logging system, storing compressed binary tracepoints in /var/db/diagnostics/*.tracev3 with supporting strings in /var/db/uuidtext/. Older ASL logs live in /private/var/log/asl/*.asl, and plain-text syslog rotations remain under /private/var/log/. Every entry carries a monotonic timestamp, subsystem, category, process ID, sender image UUID and thread ID, producing a tamper-evident record chain admissible under FRE 702 and 901.

Where macOS logs actually live

PathFormatWhat it holds
/var/db/diagnostics/Persist/*.tracev3Unified Log (binary)Long-lived events; ~30 days on typical volume, longer on servers
/var/db/diagnostics/Special/*.tracev3Unified Log (binary)High-priority events retained separately
/var/db/diagnostics/Signpost/*.tracev3Unified Log (binary)os_signpost intervals from apps and frameworks
/var/db/uuidtext/XX/*Format stringsRequired to decode format specifiers in tracev3 records
/private/var/log/asl/*.aslASL (binary)Legacy Apple System Log β€” auth, install, kernel messages
/private/var/log/system.logtextHuman-readable tail on older systems
/private/var/log/install.logtextmacOS updates and pkg installs
/private/var/log/wifi.logtextWi-Fi association events
/private/var/log/DiagnosticMessages/*.aslASLDiagnosticMessages stream β€” daemon output
/Library/Logs/DiagnosticReports/text/ipsCrash and hang reports (kernel panics, spindump)

Unified Log subsystems that matter in a case

Filtering by subsystem is the core of Unified Log analysis. Every relevant matter reviews these subsystems for the case window:

  • com.apple.securityd β€” keychain and Security framework operations
  • com.apple.SkyLight / com.apple.WindowServer β€” display, screen unlock, screen sharing
  • com.apple.opendirectoryd β€” local and network authentication
  • com.apple.authorization β€” sudo, admin prompts, TCC prompts
  • com.apple.TCC β€” Transparency, Consent, Control (privacy prompts and grants)
  • com.apple.loginwindow β€” console login/logout, screensaver unlock
  • com.apple.screensharing / com.apple.RemoteDesktop β€” Screen Sharing and ARD
  • com.apple.sshd β€” SSH connections and authentication
  • com.apple.usbmuxd / com.apple.iokit.IOUSBFamily β€” USB device connect/disconnect
  • com.apple.kernel β€” kexts, mounts, hardware events

Baseline query used in every intake: log show --style syslog --info --debug --predicate 'subsystem == "com.apple.opendirectoryd" OR subsystem == "com.apple.loginwindow" OR eventMessage CONTAINS "authentication"' --start "YYYY-MM-DD HH:MM:SS".

log show and log collect β€” the two workflows

Live host: sudo log collect --output /Volumes/EVIDENCE/logs.logarchive --last 30d preserves the tracev3 store and uuidtext together as a portable .logarchive bundle we can analyze offline.

Dead-box acquisition: we mount the source volume read-only and copy /var/db/diagnostics/ and /var/db/uuidtext/ together β€” the tracev3 files are unusable without the matching uuidtext strings. Analysis is performed with log show --archive path.logarchive against the copied archive, never against the original volume.

Every command executed is captured in an examination log so the reconstruction is repeatable and defensible.

Authentication and privilege escalation events

EventWhere recordedMeaning
Console loginloginwindow subsystem + ASL auth.logSuccessful GUI login with short-name of user
Screensaver unlockloginwindow “SessionAgentNotificationCenter”Physical presence at the keyboard
sudo invocationcom.apple.sudo / auth.logUser, tty, command executed
Admin authentication promptauthorization / SecurityAgentRight requested (system.preferences etc.) and result
TouchID / Watch unlocksecurityd + loginwindowBiometric unlock, differentiates from password
SSH logincom.apple.sshd + auth.logSource IP, user, publickey/password method
Screen sharingcom.apple.screensharingClient IP, session start/stop
Failed authenticationopendirectorydBad password, unknown user, or locked account

Detecting log tampering

  • Missing tracev3 chunks β€” the Unified Log rolls in ~256 MB increments; abrupt gaps that don’t align with rollover are suspect.
  • Deleted /var/db/diagnostics or /var/db/uuidtext β€” recovered via APFS local snapshots (see Mac File System Forensics) and Time Machine.
  • Time skew β€” cross-reference com.apple.system.timesync and com.apple.system.launchd boot events; the Unified Log preserves both monotonic boot time and wall-clock time.
  • Shell history removal β€” ~/.zsh_history / ~/.bash_history deletion is recoverable from APFS snapshots and Time Machine.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.

Related Mac forensics pages

Frequently asked questions

How far back do macOS logs go?

Unified Log Persist typically retains ~30 days on a desktop and can span several months on lightly used systems. Special stream, ASL, install.log, and wifi.log often reach further back. Time Machine and APFS local snapshots frequently extend the window.

Can you prove who was at the Mac?

Often yes. loginwindow console-unlock events with a specific short-name, correlated with KnowledgeC.db /app/inFocus and TouchID/Watch unlock records, place a specific user account (and frequently their biometric) at the machine at a specific moment.

What if the user cleared their logs?

The Unified Log is not user-editable through the standard tools without root; even root deletion is recoverable from APFS local snapshots and Time Machine. sudo, launchctl unload, and file-delete actions themselves leave records in the earlier chunks that survive.

Is log show equivalent for evidence?

Only when run against a preserved .logarchive with the source uuidtext included. Running log show live against the running host is fine for triage but not for a preservation of record.

Ready to move on your mac system log matter?

Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Apple: Logging (os_log). developer.apple.com
  2. Apple: log(1) man page. ss64.com
  3. SANS: macOS Unified Logs. www.sans.org
  4. Objective-See: macOS logging deep dive. objective-see.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#MacForensics #UnifiedLog #macOS #DFIR #tracev3 #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder