Sierra wake reason syslog location?

Question

Level 1

5 points

Sierra wake reason syslog location?

I'm running OSX 10.13.3. I understand that if I run the following command in terminal I will get the wake reason for my machine.

log show --style syslog | fgrep "Wake reason"

Can someone please explain where this information is being pulled from? Is there a specific log file with this information? Or is it buried somewhere in an ASL database file?

Currently when I run the above command in terminal it gives me information dating back to 2/17/18. I have cleared all data in my log files, including: private/var/log; user/Library/Logs; Macintosh HD/Library/Logs. I would have thought the wake reason would have been contained in the system.log file. But clearly it's not, since even after deleting that file and rebooting, the above command still continues to list information dating back to 3 weeks ago and the system.log file only contains data from the time the file was re-created.

Thank you.

Posted on Mar 9, 2018 11:10 AM

Reply

Answer 1

Best reply

ctc1 Author

Level 1

5 points

Mar 10, 2018 6:56 AM in response to ctc1

Update/answer: syslog files are now part of Unified Logging, stored here:

/var/db/diagnostics/

/var/db/uuidtext/

reference here for more info:

https://eclecticlight.co/2017/09/23/sierras-unified-log-evolves-more-persistent- and-a-valuable-log-log/

https://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts- introducing-unified-logging

https://developer.apple.com/documentation/os/logging?language=occ

Use terminal and the "log collect" command to collect records and export them to disk. Use "log show" to review. Must be logged in as root in terminal.

Example:

log collect --start "2018-03-05" --output /Users/username/desktop/mylogs.logarchive

log show /Users/username/desktop/mylogs.logarchive

Finally, to narrow down wake reason search, use date commands:

log show --style syslog --start "2018-03-07" | fgrep "Wake reason"

Reply