Apple Intelligence is now available on iPhone, iPad, and Mac!
Details:
I am running Mac OS X Yosemite Version 10.10.1
This is for not only my own curiosity, but legal purposes. All help is appreciated.
MacBook Pro with Retina display, OS X Yosemite (10.10.1)
System.log records the identity, mounting, and unmounting of external media previously connected to your computer. Using a USB device as an example, connect and disconnect it via a USB port and you will see a sequence of log messages similar to this:
Jan 7 09:55:49 MBP kernel[0]: USBMSC Identifier (non-unique): AADIXQ10P5VCI0Q9 0x5dc 0xa833 0x1100, 2
Jan 7 09:55:50 MBP kernel[0]: hfs: mounted OS X 10.9 Install Disk - 10.9.4 on device disk1s2
Jan 7 09:56:01 MBP kernel[0]: hfs: unmount initiated on OS X 10.9 Install Disk - 10.9.4 on device disk1s2
The string, "AADIXQ10P5VCI0Q9 0x5dc 0xa833 0x1100" is important in identifying a device. Reading the string from left to right:
“AADIXQ10P5VCI0Q9" is the Device Serial Number.
“0x5dc” is the Vendor ID.
“0xa833" is the Product ID.
“0x1100” is the Device Release Number.
“USBMSC” is a useful keyword when parsing strings to locate the identity of USB devices. “USBMSC” stands for Universal Serial Bus Mass Storage Class. You can watch the system.log stream either in the Console app or from a Terminal app window with the tail utility. In a Terminal shell, type the following and press the Return key:
tail -f /var/log/system.log
Attach a USB device to your computer, such as a USB flash drive. Then disconnect it properly by dragging its image to the Trash or right click and choose “Eject”. To exit the tail utility, press Control-C.
There are two types of system.log files, active and archived. They can be found in the /var/log folder. The archived logs are compressed files with a .gz file extension. Using Terminal, to find all the system.log files that contain the keyword, “USBMSC”, type the following and press the Return key:
zgrep -il 'usbmsc' /var/log/system.log*
To display all the lines that contain the keyword “USBMSC”, type the following and press the Return key:
zgrep -i 'usbmsc' /var/log/system.log*
Once you’ve identified a suspect device, you can highlight all occurrences of it by serial number. Type the following and press the Return key:
zgrep -i 'usbmsc' /var/log/system.log* | egrep --color 'AADIXQ10P5VCI0Q9|$’
If you want to list only the lines that contain the suspect device’s serial number, type the following and press the Return key:
zgrep -i 'AADIXQ10P5VCI0Q9' /var/log/system.log*
You may also be able to gather information about the suspect device by including the keyword “mount” in the search:
zgrep -Ei 'usbmsc|mount' /var/log/system.log*
To match the Vender ID code, Product ID code, and Device Release Number to their named entities, you can manually look them up on a online repository. There are a few, and they are all incomplete and may not be up to date. However, you can usually find at least the vendor’s name. One such repository is The USB ID Repository: http://www.linux-usb.org/usb-ids.html. To automate the process, Jason Hale has written a Perl script available here: http://dfstream.blogspot.ca/2013/01/automating-usb-device-identification-on.html. It parses system.log files for “USBMSC”, queries the repository, and outputs in CSV format ready for import into a spreadsheet.
If you are in possession of the suspect device, you can view it’s ID info and compare it to entries obtained from the system.log files. Type the following and press the Return key:
system_profiler SPUSBDataType
If the external device is connected by Firewire or Thunderbolt you can use SPFireWireDataType or SPThunderboltDataType.
System.log records the identity, mounting, and unmounting of external media previously connected to your computer. Using a USB device as an example, connect and disconnect it via a USB port and you will see a sequence of log messages similar to this:
Jan 7 09:55:49 MBP kernel[0]: USBMSC Identifier (non-unique): AADIXQ10P5VCI0Q9 0x5dc 0xa833 0x1100, 2
Jan 7 09:55:50 MBP kernel[0]: hfs: mounted OS X 10.9 Install Disk - 10.9.4 on device disk1s2
Jan 7 09:56:01 MBP kernel[0]: hfs: unmount initiated on OS X 10.9 Install Disk - 10.9.4 on device disk1s2
The string, "AADIXQ10P5VCI0Q9 0x5dc 0xa833 0x1100" is important in identifying a device. Reading the string from left to right:
“AADIXQ10P5VCI0Q9" is the Device Serial Number.
“0x5dc” is the Vendor ID.
“0xa833" is the Product ID.
“0x1100” is the Device Release Number.
“USBMSC” is a useful keyword when parsing strings to locate the identity of USB devices. “USBMSC” stands for Universal Serial Bus Mass Storage Class. You can watch the system.log stream either in the Console app or from a Terminal app window with the tail utility. In a Terminal shell, type the following and press the Return key:
tail -f /var/log/system.log
Attach a USB device to your computer, such as a USB flash drive. Then disconnect it properly by dragging its image to the Trash or right click and choose “Eject”. To exit the tail utility, press Control-C.
There are two types of system.log files, active and archived. They can be found in the /var/log folder. The archived logs are compressed files with a .gz file extension. Using Terminal, to find all the system.log files that contain the keyword, “USBMSC”, type the following and press the Return key:
zgrep -il 'usbmsc' /var/log/system.log*
To display all the lines that contain the keyword “USBMSC”, type the following and press the Return key:
zgrep -i 'usbmsc' /var/log/system.log*
Once you’ve identified a suspect device, you can highlight all occurrences of it by serial number. Type the following and press the Return key:
zgrep -i 'usbmsc' /var/log/system.log* | egrep --color 'AADIXQ10P5VCI0Q9|$’
If you want to list only the lines that contain the suspect device’s serial number, type the following and press the Return key:
zgrep -i 'AADIXQ10P5VCI0Q9' /var/log/system.log*
You may also be able to gather information about the suspect device by including the keyword “mount” in the search:
zgrep -Ei 'usbmsc|mount' /var/log/system.log*
To match the Vender ID code, Product ID code, and Device Release Number to their named entities, you can manually look them up on a online repository. There are a few, and they are all incomplete and may not be up to date. However, you can usually find at least the vendor’s name. One such repository is The USB ID Repository: http://www.linux-usb.org/usb-ids.html. To automate the process, Jason Hale has written a Perl script available here: http://dfstream.blogspot.ca/2013/01/automating-usb-device-identification-on.html. It parses system.log files for “USBMSC”, queries the repository, and outputs in CSV format ready for import into a spreadsheet.
If you are in possession of the suspect device, you can view it’s ID info and compare it to entries obtained from the system.log files. Type the following and press the Return key:
system_profiler SPUSBDataType
If the external device is connected by Firewire or Thunderbolt you can use SPFireWireDataType or SPThunderboltDataType.
In case it isn't obvious, replace the Device Serial Number in the examples above with the suspect Device Serial Number from the system.log files on your computer when typing in commands in the Terminal app. For example, replace the following blue text string in this command:
zgrep -i 'usbmsc' /var/log/system.log* | egrep --color 'AADIXQ10P5VCI0Q9|$’
Hi, there.
I am an computer idiot, but this worked with me, bravo for you!
The only problem I have now is the fact that I need log for external HD (USB) more than 7 days.
Any help?
My system is 10.11.6.
Thank you!
Most activity like this will be logged in /var/log/system.log.
You can use /Applications/Utilities/Console.app to view the logs and search for specific messages - most disks would be mounted under /Volumes, so that's a good keyword to start looking for/
By default your system logs will go back about a week or so.
Is there a system log which displays which external media/storage devices were connected/disconnected from my system? If so, please advise me on how to do so.
