文章介绍了在macOS Sequoia的统一系统日志中使用子系统和类别谓词进行更精确的日志搜索的方法,并通过示例展示了如何结合`subsystem`和`category`谓词过滤特定的日志信息。 2025-8-24 18:11:19 Author: derflounder.wordpress.com(查看原文) 阅读量:11 收藏
Home > Logging, Mac administration, macOS > Using subsystem and category log predicates when searching the unified system log on macOS Sequoia
Using subsystem and category log predicates when searching the unified system log on macOS Sequoia
When searching the the unified system log on macOS using predicates, it’s often useful to use logging subsystems when searching for information. For example, as part of a previous post on finding DDM status information in the logs, I used the following command to find data logged within the last ten minutes:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/log show –predicate 'subsystem=="com.apple.remotemanagementd"' –info –last 10m |
This search uses the com.apple.remotemanagementd subsystem as a predicate when searching the logs. However, you can get even more granular by searching for a specific category of information within the com.apple.remotemanagementd subsystem. For example, let’s look at the data returned from running the command above:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@ZHW4T3TFTH ~ % sudo /usr/bin/log show –predicate 'subsystem=="com.apple.remotemanagementd"' –info –last 10m | |
| Password: | |
| Filtering the log data using "subsystem == "com.apple.remotemanagementd"" | |
| Skipping debug messages, pass –debug to include. | |
| Timestamp Thread Type Activity PID TTL | |
| 2025-08-24 13:50:20.341060-0400 0x2a02 Default 0x0 423 0 remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Evaluating new connection <NSXPCConnection: 0x97011c0a0> connection from pid 1177 on mach service named com.apple.remotemanagementd | |
| 2025-08-24 13:50:20.341093-0400 0x2a02 Default 0x0 423 0 remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Accepted new connection <NSXPCConnection: 0x97011c0a0> connection from pid 1177 on mach service named com.apple.remotemanagementd | |
| 2025-08-24 13:50:20.341969-0400 0x2cd9 Default 0x86bf 423 0 remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Finding management channel | |
| 2025-08-24 13:50:20.345364-0400 0x2cd9 Default 0x86bf 423 0 remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Found management channel | |
| 2025-08-24 13:50:20.345616-0400 0x2cd9 Default 0x3d1c0 423 0 remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Updating 50721780-919B-4DC3-992C-0645A2E38B01 with sync tokens response.. | |
| 2025-08-24 13:50:20.345738-0400 0x2cd9 Info 0x3d1c2 423 0 remotemanagementd: [com.apple.remotemanagementd:client] Updating via sync tokens… | |
| 2025-08-24 13:50:20.348540-0400 0x2cd9 Info 0x3d1c2 423 0 remotemanagementd: [com.apple.remotemanagementd:client] Updating finished | |
| 2025-08-24 13:50:20.348554-0400 0x2cd9 Default 0x3d1c2 423 0 remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Updated with 50721780-919B-4DC3-992C-0645A2E38B01 with sync tokens | |
| 2025-08-24 13:50:20.348567-0400 0x2a02 Info 0x3d1c2 423 0 remotemanagementd: [com.apple.remotemanagementd:client] Syncing only if needed… | |
| 2025-08-24 13:50:20.476354-0400 0x2a02 Info 0x3d1c2 423 0 remotemanagementd: [com.apple.remotemanagementd:client] There was no status report to send. | |
| 2025-08-24 13:50:21.106677-0400 0x2cd9 Info 0x3d1c4 423 0 remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Got back from MDM: 200 | |
| 2025-08-24 13:50:21.172921-0400 0x2cd9 Info 0x3d1c4 423 0 remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Successfully saved server tokens | |
| 2025-08-24 13:50:21.180791-0400 0x302d Info 0x3d1c3 423 0 remotemanagementd: [com.apple.remotemanagementd:client] Sync only if needed finished | |
| ——————————————————————————————————————– | |
| Log – Default: 6, Info: 7, Debug: 0, Error: 0, Fault: 0 | |
| Activity – Create: 0, Transition: 0, Actions: 0 | |
| username@ZHW4T3TFTH ~ % |
Within the data returned by searching for the com.apple.remotemanagementd subsystem, there’s several categories included as part of the subsystem log entries:
- XPCListenerDelegate
- client
- mdmConduit
Those categories show up following the listing for the com.apple.remotemanagementd subsystem in the returned log entries like this:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| com.apple.remotemanagementd:XPCListenerDelegate | |
| com.apple.remotemanagementd:client | |
| com.apple.remotemanagementd:mdmConduit |
If we wanted to get more granular and search the unified system log for only the logs associated with a particular category for a logging subsystem from the last ten minutes, the following command could be used to search using the following predicates:
- Subsystem: com.apple.remotemanagementd
- Category: mdmConduit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/log show –predicate 'subsystem=="com.apple.remotemanagementd" && category=="mdmConduit"' –info –last 10m |
That would return only those log entries which matched both the com.apple.remotemanagementd subsystem and the mdmConduit category:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@ZHW4T3TFTH ~ % sudo /usr/bin/log show –predicate 'subsystem=="com.apple.remotemanagementd" && category=="mdmConduit"' –info –last 10m | |
| Password: | |
| Filtering the log data using "subsystem == "com.apple.remotemanagementd" AND category == "mdmConduit"" | |
| Skipping debug messages, pass –debug to include. | |
| Timestamp Thread Type Activity PID TTL | |
| 2025-08-24 13:50:21.106677-0400 0x2cd9 Info 0x3d1c4 423 0 remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Got back from MDM: 200 | |
| 2025-08-24 13:50:21.172921-0400 0x2cd9 Info 0x3d1c4 423 0 remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Successfully saved server tokens | |
| ——————————————————————————————————————– | |
| Log – Default: 0, Info: 8, Debug: 0, Error: 0, Fault: 0 | |
| Activity – Create: 0, Transition: 0, Actions: 0 | |
| username@ZHW4T3TFTH ~ % |
如有侵权请联系:admin#unsafe.sh