Unified Logging System (log show)

Location

Description

macOS Unified Logging system introduced in macOS 10.12 Sierra, replacing the legacy ASL and syslog systems. Captures log messages from the kernel, system services, and applications in compressed tracev3 binary format. Queried using the log show and log stream commands with predicate-based filtering by subsystem, category, process, and log level.

Forensic Value

The Unified Log is the single most comprehensive logging source on macOS, capturing process execution, network connections, authentication events, application launches, Gatekeeper decisions, and XProtect detections in one place. Log entries include the originating process, subsystem, and thread, enabling precise attribution. The info and debug log levels contain detailed diagnostic data but are stored in memory-only buffers with limited persistence. Forensic collection should occur as soon as possible because older entries are purged based on storage pressure. The log show command with --predicate filtering enables targeted extraction of security-relevant events.

Tools Required

Collection Commands

log show --last 7d --predicate "process == 'sudo' OR process == 'su'" > /forensics/auth_log.txt

log show --last 24h --info --debug --predicate "subsystem == 'com.apple.xprotect'" > /forensics/xprotect_log.txt

log collect --output /forensics/unified_log_archive.logarchive

python mac_apt.py -i /path/to/image -o /forensics/output UNIFIEDLOGS

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References