How to use `log stream` to search ALL existent logs on macOS for strings

command linelogs

I need to search all logs on macOS Mojave for "some string". I was told that the way to do this was to execute:

sudo log stream --source --start'1999-99-99 23:59' | egrep -i "some regex string"

However this isn't doing the trick. What's the appropriate way to do this?

Best Answer

No support for --start

The usage guidances for log stream give no indications that a --start argument is supported, I wonder if they were talking about log show instead.

log stream usage
$ log stream --source --start
log: unrecognized option `--start'
usage: log stream [options]
   or: log stream [options] --process <pid> | <process>

description:
    Stream events from the system or a given process.

options:
    --color <mode>                  Control color output (valid: auto, always, none)
    --level default | info | debug  Include events at, and below, the given level
    --predicate <predicate>         Filter events using the given predicate
    --process <pid> | <process>     Stream events from the specified process
    --source                        Annotate output with source file and line-number
    --style <style>                 Output format (valid: syslog, json, compact)
    --timeout <num>[m|h|d]          Terminate streaming after timeout has elapsed
    --type activity | log | trace   Limit streaming to a given event type
    --mach-continuous-time          Print mach continuous time timestamps rather than walltime

predicate usage:
    Filter predicates follow the NSPredicate format described at:
    https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html

    For predicate field/type details, see `log help predicates`.

Using log show

log show has a --start switch which you can use as follows:

$ log show --source --start '2019-01-01' | egrep -i "some regex string"

NOTE: This can be a very expensive command to run since it'll be going through all the logs on your system from that --start time, but will return all the matches to your egrep.

Streaming logs

The use of log show will stop once it encounters the end of the logs. If you truly want to analyze/filter the stream of logs as they occur then you'll want to use log stream like this:

$ log stream --source | grep -iE "some regex string"

-or-

$ log stream --source --predicate 'processImagePath contains "some bit of text"'

References