system.log (Legacy System Log)

Location

Description

Legacy text-based system log still generated on macOS alongside the Unified Logging system. Captures a subset of system daemon messages, kernel events, and application output in a familiar syslog format with timestamps, process names, and PIDs.

Forensic Value

While largely superseded by the Unified Log, system.log provides a human-readable text log that is easier to parse and search than tracev3 binary logs. It captures service start/stop events, kernel extension loading, network daemon activity, and authentication-related messages. The rotated log archives (.gz) may contain weeks of historical data. On older macOS versions, system.log is the primary system log and contains more comprehensive entries than on modern versions.

Tools Required

Collection Commands

sudo cp /var/log/system.log* /forensics/system_logs/

sudo find /var/log/ -name "system.log*" -exec stat -f "%m %N" {} \; | sort -rn > /forensics/syslog_timeline.txt

log2timeline.py --parsers syslog /forensics/timeline.plaso /var/log/

python mac_apt.py -i /path/to/image -o /forensics/output SYSLOG

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References