filtering lines OUT in Console app

Question

Level 2

387 points

filtering lines OUT in Console app

I am looking in my system.log checking around for odd activity on various machines. On one of these servers, I have approximately 10 gazillion repeats of the triple:

Jun 25 00:29:56 xserve com.apple.launchd[1] (com.apple.kdcmond[34743]): posix_spawn("/usr/sbin/kdcmond", ...): No such file or directory

Jun 25 00:29:56 xserve com.apple.launchd[1] (com.apple.kdcmond[34743]): Exited with exit code: 1

Jun 25 00:29:56 xserve com.apple.launchd[1] (com.apple.kdcmond): Throttling respawn: Will start in 10 seconds

(It repeats every 10 seconds day and night...) The "Filter" box evidently was named by someone unfamiliar with the common meaning of the word "filter" as it only filters out things which do not match the string, rather than things which do. (If I were to design a "filter" to find a needle in a haystack, I would have it discard hay rather than things not-hay, but, hey, what do I know?)

Is there any flag or setting which filters OUT everything that contains a string? (can't find any plausible menu items, or anything in the Help documents)

Posted on Jul 7, 2014 7:34 AM

Reply

Answer 1

WZZZ

Level 6

13,220 points

Jul 7, 2014 5:58 PM in response to cathy fasano

More to the point, xserve, or some leftover component of it (LaunchAgent or Daemon) keeps trying to start up and can't. If allowed to persist, this will bloat the logs and eventually consume GBs of space.

Reply

Answer 2

WZZZ

Level 6

13,220 points

Jul 7, 2014 6:16 PM in response to WZZZ

Btw, I'm not seeing this behavior for filtering that you describe. If, for example, I enter "wake," I only get entries with that word, either alone or as part of a longer message.

Reply

Answer 3

cathy fasano Author

Level 2

387 points

Jul 7, 2014 7:28 PM in response to WZZZ

What you are seeing is the same thing that I am seeing. I need to find any entries that do NOT contain the string "com.apple.kdcmond", and there is no apparent way to do so. I am looking to see if there are unauthorized users logging in to the computer during the early hours of the morning, and there is no way that I can see it in the blizzard of kdcmond errors.

What I need is a 'grep -v' but I can't find the physical location of the logfiles to run grep on the command line.

(Also the logfiles roll quite regularly, and so don't fill up...)

Reply

Answer 4

WZZZ

Level 6

13,220 points

Jul 8, 2014 12:27 PM in response to cathy fasano

What about searching through system log and its archives using "login"?

Where did my disk space go?

Very large Log Files caused by repeated messages from a failing system process, or logs that haven't been "rotated" in a very long time. See the green box in OSX Log Files.

http://pondini.org/OSX/DiskSpace.html

If the computer isn't awake at 12:30 AM the system log will never be rotated.

Can be done from this command

sudo newsyslog -F /var/log/system.log

Reply

Answer 5

WZZZ

Level 6

13,220 points

Jul 8, 2014 6:01 PM in response to WZZZ

Btw, the "filter" function (String Matching) in Console has always been like this.

Reply

Answer 6

andyBall_uk

Level 7

20,516 points

Jul 9, 2014 7:40 AM in response to cathy fasano

Re: missing kdcmond??

Reply

Answer 7

cathy fasano Author

Level 2

387 points

Jul 9, 2014 8:34 AM in response to cathy fasano

To answer my own question...

find / -name system.log.2*

found the log file

bunzip2

uncompressed it

and then grep -v did what I needed to do. I'm now reasonably confident that there were no unauthorized users on the server during the time in question...

oh, and

bzip2

put the logfile back into compression

Reply

Answer 8

Jul 9, 2014 9:17 AM in response to cathy fasano

You could send the contents of system.log.bz2 to standard out without decompressing the file. Something like this:

bzcat /var/log/system.log.bz2 | grep -v "kdcmond"

Reply

Answer 9

WZZZ

Level 6

13,220 points

Jul 9, 2014 12:42 PM in response to Mark Jalbert

I am still trying to understand why the OP couldn't just filter for the string "login" and search through the zipped system logs in /var/log, re-entering "login" for each log. How much trouble would that have been? I only have 7 .bz2 system logs. Why all the exasperation at all the extraneous clutter when string matching would have whittled it all down to just the different logins. What am I not understanding?

Reply

Answer 10

cathy fasano Author

Level 2

387 points

Jul 9, 2014 2:55 PM in response to WZZZ

The file server is already logged on. At some point we got sloppy and turned off the password protection on the screen saver.* Some oddities gave us a scare, we turned on the passwords, and now are pretty confident that nothing untoward happened during the period when the passwords were off.

Apple's tools always seem to come up short and I'm left with good old unix -- find, grep, etc.

*(when the disk crashed and we had to disassemble this mac mini server to replace it, and in the process of reassembling it broke a piece off the motherboard, which one of my coworkers soldered back on because he had a previous fortuitous career as an electronics tech. No, apple, no matter what you call it, a "mac mini server" is not a server.)

Reply