system.log (Legacy System Log)

macosSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/system.log (and rotated /var/log/system.log.*.gz)

Description

Legacy text-based system log still generated on macOS alongside the Unified Logging system. Captures a subset of system daemon messages, kernel events, and application output in a familiar syslog format with timestamps, process names, and PIDs.

Forensic Value

While largely superseded by the Unified Log, system.log provides a human-readable text log that is easier to parse and search than tracev3 binary logs. It captures service start/stop events, kernel extension loading, network daemon activity, and authentication-related messages. The rotated log archives (.gz) may contain weeks of historical data. On older macOS versions, system.log is the primary system log and contains more comprehensive entries than on modern versions.

Tools Required

greplesslog2timeline (Plaso)mac_apt

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical