Missing logs in OSLogStore

Question

Created Jan ’25

Replies 3

Boosts 0

Participants 2

Hello,

I need to monitor the device for an activity that is not supported by ES framework. I can reliably monitor it using correct filters with log stream, for example

sudo log stream --info --style compact --predicate 'category = "X"'

But I need to provide that functionality through my application. Because of that, I made an instance of a log store, hoping I will be able to retrieve the necessary informations that way. The problem is that the messages are sometimes appearing and sometimes not. The log level I am interested in is info, which according to the docs

The system stores info-level messages in memory buffers and, without a configuration change, purges the oldest messages as those buffers fill up.

If I understand that correctly, the info messages are being written to the buffer and not the store, only sometimes reaching it. But also that should be modifiable with a configuration change? How could I make such change to always save info logs to the store and retrieve them?

Answered by DTS Engineer in 863908022

Thanks for filing FB16426295.

very long overdue ticket number

No worries; I have plenty of other stuff to get on with (-:

Actually, I think this worked out to your benefit, because in the interim we’ve fixed a bug in the forums platform that would’ve likely caused me to miss your response. So yay!

Oh, wait, one more thing. Your ER says:

It would be nice to monitor XYZ activity

I recommend that you update it to include more details about the activity you’re trying to monitor. Specifically:

Do you just want to be notified of this? Or do you want to be able block it?
If you want to be able to block it, what sort of criteria are you going to use to evaluate whether to block an operator or not? For example, do you need details about the users involved, the content, or whatever.
Similarly, if you only care about being notified, what details are you looking for?

Think about this from the perspective of someone enhancing the ES framework. They’re going to add either an ES_EVENT_TYPE_NOTIFY_XYZ event or that event and an ES_EVENT_TYPE_AUTH_XYZ event. And then they need to come up with the structure associated with that event, and the shape of that structure will inform your ability to achieve your goals.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’25

I need to monitor the device for an activity that is not supported by ES framework.

You have filed an ER for that, right?

…

Right?

Because the contents of the system log is not an API, meaning that it could change at any time.

Please post your bug number, just for the record.

WARNING The rest of my response assumes that you’re using the system log as a short-term workaround for missing ES functionality. I don’t endorse this as a long-term solution. I don’t even guarantee it’ll work today (-:

But also that should be modifiable with a configuration change?

Probably. Make sure you don’t change this for all info events. Rather, scope this to the specific subsystem and category you care about.

As to how you change this, you can either run the log command or install a configuration profile. I have links to all the docs in Your Friend the System Log.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

kasiax OP

4d

Thank you for your answer, very long overdue ticket number FB16426295

Sadly as you mentioned, the above solution is too volatile and misses many of the events.

0

Answer 3

DTS Engineer OP

Apple

3d

Recommended

Thanks for filing FB16426295.

very long overdue ticket number

No worries; I have plenty of other stuff to get on with (-:

Actually, I think this worked out to your benefit, because in the interim we’ve fixed a bug in the forums platform that would’ve likely caused me to miss your response. So yay!

Oh, wait, one more thing. Your ER says:

It would be nice to monitor XYZ activity

I recommend that you update it to include more details about the activity you’re trying to monitor. Specifically:

Do you just want to be notified of this? Or do you want to be able block it?
If you want to be able to block it, what sort of criteria are you going to use to evaluate whether to block an operator or not? For example, do you need details about the users involved, the content, or whatever.
Similarly, if you only care about being notified, what details are you looking for?

Think about this from the perspective of someone enhancing the ES framework. They’re going to add either an ES_EVENT_TYPE_NOTIFY_XYZ event or that event and an ES_EVENT_TYPE_AUTH_XYZ event. And then they need to come up with the structure associated with that event, and the shape of that structure will inform your ability to achieve your goals.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0