Unix systems keep quite a few log files. Entries in the system logs record a variety of events, such as system startups , e-mail being sent, people logging in, and each use of sudo .
Mac OS X keeps most log files in /var/log , which is the same place as on many versions of Unix. Figure 11.30 shows a typical listing for that directory. Some entries are text files and some are subdirectories containing multiple log files for a process. You'll notice that most of the filenames end in .gz, indicating that they have been compressed using the gzip program (and can be viewed with zcat ; see the man pages).
localhost:~ vanilla$ ls /var/log CDIS.custom lookupd.log.2.gz mail.log.4.gz system.log.3.gz OSInstall.custom lookupd.log.3.gz monthly.out system.log.4.gz daily.out lookupd.log.4.gz netinfo.log system.log.5.gz ftp.log lpr.log netinfo.log.0.gz system.log.6.gz ftp.log.0.gz lpr.log.0.gz netinfo.log.1.gz system.log.7.gz ftp.log.1.gz lpr.log.1.gz netinfo.log.2.gz weekly.out ftp.log.2.gz lpr.log.2.gz netinfo.log.3.gz wtmp ftp.log.3.gz lpr.log.3.gz netinfo.log.4.gz wtmp.0.gz ftp.log.4.gz lpr.log.4.gz secure.log wtmp.1.gz httpd mail.log statistics wtmp.2.gz lastlog mail.log.0.gz system.log wtmp.3.gz lookupd.log mail.log.1.gz system.log.0.gz wtmp.4.gz lookupd.log.0.gz mail.log.2.gz system.log.1.gz lookupd.log.1.gz mail.log.3.gz system.log.2.gz localhost:~ vanilla$
The log files in /var/log are " rotated " or "rolled over" by the script /etc/periodic/daily/100.clean-logs , which is run by the periodic command. That command is in turn run from a launchd agent called com.apple.periodic-daily in the launchd configuration file /System/Library/LaunchDaemons/com.apple.periodic-daily. plist . (See "Running Regularly Scheduled Commands," earlier in this chapter.)
If you have Web sharing turned on (in the Sharing pane of System Preferences, in the Finder), then the Apache Web-server logs are of interest. These are /var/log/httpd/access_log and /var/log/httpd/error_log . Every request handled by the Web server is logged in access_log , and errors are logged (surprise!) in error_log .
If you suspect that something is going wrong with your system, especially if something is happening over and over, looking through the system log files can reveal the cause of the problem.
There isn't any special command needed for most of the logs; they are simply text files, and you can use the tools described in earlier chapters to look at them (see especially Chapter 5). Table 11.6 lists the most useful tools for looking through log files. While the log format differs for each process, in general all log file entries will include a timestamp, process name , and whatever the programmer decided was important to put in the log.
W HAT I T D OES
Views the file one screen at a time.
Searches for text patterns.
Views the end of a file. The -f ( follow ) option is especially useful for log files.
One particularly common situation involves watching a log file to see what is being added to it. See "To view the end of a file while it is growing," in Chapter 5.
One other important log file is the console log.
The console log is where most error messages go during regular operations. It can be viewed from Aqua using the Console utility: /Applications/Utilities/Console.
Console logs are created each time you log in to Aqua, and each one is owned and readable only by the user whose login created it (of course, root can also read it). In Mac OS X 10.4 the files are kept in directories named after the user ID number for the user (earlier versions of Mac OS X named the directories using the short username.) So, in 10.4 the console logs for the user with user ID 502 are located in /Library/Logs/Console/502/ , where you'll find a file called console.log (the current or most recent log), as well as saved log files like console.log.0 , console.log.1 , and so on. Use ls -l to see the last-modified times. You can translate a use RID to a user name with
dscl . -search /users UniqueID userid
dscl . -search /users UniqueID 502