Unified Logging System (log show)
Location
/var/db/diagnostics/ and /var/db/uuidtext/ (tracev3 files)Description
macOS Unified Logging system introduced in macOS 10.12 Sierra, replacing the legacy ASL and syslog systems. Captures log messages from the kernel, system services, and applications in compressed tracev3 binary format. Queried using the log show and log stream commands with predicate-based filtering by subsystem, category, process, and log level.
Forensic Value
The Unified Log is the single most comprehensive logging source on macOS, capturing process execution, network connections, authentication events, application launches, Gatekeeper decisions, and XProtect detections in one place. Log entries include the originating process, subsystem, and thread, enabling precise attribution. The info and debug log levels contain detailed diagnostic data but are stored in memory-only buffers with limited persistence. Forensic collection should occur as soon as possible because older entries are purged based on storage pressure. The log show command with --predicate filtering enables targeted extraction of security-relevant events.