When it comes to figuring out what is happening on an Apple device, creating a sysdiagnose file is usually the way to go. Sysdiagnose files are the final outcome of your Apple device running almost every performance and problem tracing tool available, then taking the resulting logs and bundling them all together into one compressed file. However, because these logs are intended for use and analysis by Apple’s engineers, they can almost overwhelm with information.

One way to manage this flood of data is to use the system_logs.logarchive file included with every sysdiagnose file. The system_logs.logarchive file is a snapshot of the unified system log as of the time that the sysdiagnose was created, so it has a large amount of information about what was happening on that Apple device at the time.

Accessing the information in the system_logs.logarchive file can be accomplished using the following process:

1. Get the desired sysdiagnose file
2. Uncompress it.
3. In the resulting directory, locate the system_logs.logarchive file.

You can work with the system_logs.logarchive file using a couple of tools included with macOS:

• Console.app
• The log command line tool

For more information, please see below the jump.

Using Console.app

To access the system_logs.logarchive file using Console.app, double-click on the system_logs.logarchive file. It should then open the Console app if needed and display a window showing the logs from the system_logs.logarchive file.

From there, you can use the Console app’s search functionality to find what you’re looking for.

Using the log command line tool

If viewing logs using the log command line tool, you can use the log tool’s show function to specify that you want to reference from the system_logs.logarchive file. For example, you can use a command like the one shown below to access the information in the system_logs.logarchive file:

This will likely result in a huge amount of data flying quickly through your Terminal window. It will likely make sense to provide additional filters to get back just the data you want.

For example, if you want to get only information on mobile device management traffic which was captured by the system log, you can use a command like the one shown below to add predicates which can be used by the log command line tool:

That should display only the information defined by the predicates, which are:

• Information logged from the mdmclient process
• Information logged from the com.apple.ManagedClient subsystem
• Information logged within the HTTPUtil logging category

This should produce a much smaller and more focused stream of information.

Depending on how recently the sysdiagnose was created, you may be able to narrow down the returned data even further by specifying a timeframe. For example, if you wanted to check for only information logged from midnight of April 28th, 2025 to midnight of April 29th, 2025, you could use a command like the one shown below:

If you wanted to check for a relative timeframe like the past two days from the time you’re running the command, you could use a command like the one shown below: