Unified logs

good to know

Although you can choose from multiple formats for audit logs, Unified logs currently only support JSON formatting.

From Apple: "The unified logging system provides a comprehensive and performant API to capture telemetry across all levels of the system. This system centralizes the storage of log data in memory and on disk, rather than writing that data to a text-based log file. You view log messages using the Console app, log command-line tool, or Xcode debug console."

logga lets you do the opposite: filter selected Unified Logging entries & persist them as json.

Log structure

Example Unified log entry:

{
    "timestamp":"2024-09-01T21:55:19.976Z",
    "hostname":"macbook-pro.local",
    "log": {
        "level":3,
        "activity_identifier":8350237,
        "category":"monitor",
        "store_category":0,
        "format_string":"Calculated state for %{public}@: %{public}@ (role: %{public}@) (endowments: %@) ",
        "composed_message":"Calculated state for app<application.com.apple.   ScriptEditor.id.touchbar-deflicker.37030534.37030542(501)>: running-active (role: UserInteractive) (endowments: <private>)",
        "process":"runningboardd",
        "process_identifier":216,
        "sender":"RunningBoard",
        "subsystem":"com.apple.runningboard",
        "thread_identifier":7426775
    }
}

good to know

Unified logs mostly follow the above structure, altough there can be minor differences.