在 macOS Sequoia 中使用子系统和类别谓词搜索统一系统日志

在 macOS 中使用谓词搜索统一系统日志时，使用日志子系统通常很有帮助。例如，在之前一篇关于在日志中查找 DDM 状态信息的文章中，我使用了以下命令查找过去十分钟内记录的数据：

1

/usr/bin/log show --predicate 'subsystem=="com.apple.remotemanagementd"' --info --last 10m

此搜索在搜索日志时使用了 com.apple.remotemanagementd 子系统作为谓词。但是，您可以通过搜索 com.apple.remotemanagementd 子系统内的特定信息类别来获得更细粒度的结果。

让我们看看运行上述命令返回的数据：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


username@ZHW4T3TFTH ~ % sudo /usr/bin/log show --predicate 'subsystem=="com.apple.remotemanagementd"' --info --last 10m

Password:
Filtering the log data using "subsystem == "com.apple.remotemanagementd""
Skipping debug messages, pass --debug to include.

Timestamp                       Thread     Type        Activity             PID    TTL  
2025-08-24 13:50:20.341060-0400 0x2a02     Default     0x0                  423    0    remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Evaluating new connection <NSXPCConnection: 0x97011c0a0> connection from pid 1177 on mach service named com.apple.remotemanagementd
2025-08-24 13:50:20.341093-0400 0x2a02     Default     0x0                  423    0    remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Accepted new connection <NSXPCConnection: 0x97011c0a0> connection from pid 1177 on mach service named com.apple.remotemanagementd
2025-08-24 13:50:20.341969-0400 0x2cd9     Default     0x86bf               423    0    remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Finding management channel
2025-08-24 13:50:20.345364-0400 0x2cd9     Default     0x86bf               423    0    remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Found management channel
2025-08-24 13:50:20.345616-0400 0x2cd9     Default     0x3d1c0              423    0    remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Updating 50721780-919B-4DC3-992C-0645A2E38B01 with sync tokens response..
2025-08-24 13:50:20.345738-0400 0x2cd9     Info        0x3d1c2              423    0    remotemanagementd: [com.apple.remotemanagementd:client] Updating via sync tokens…
2025-08-24 13:50:20.348540-0400 0x2cd9     Info        0x3d1c2              423    0    remotemanagementd: [com.apple.remotemanagementd:client] Updating finished
2025-08-24 13:50:20.348554-0400 0x2cd9     Default     0x3d1c2              423    0    remotemanagementd: [com.apple.remotemanagementd:XPCListenerDelegate] Updated with 50721780-919B-4DC3-992C-0645A2E38B01 with sync tokens
2025-08-24 13:50:20.348567-0400 0x2a02     Info        0x3d1c2              423    0    remotemanagementd: [com.apple.remotemanagementd:client] Syncing only if needed…
2025-08-24 13:50:20.476354-0400 0x2a02     Info        0x3d1c2              423    0    remotemanagementd: [com.apple.remotemanagementd:client] There was no status report to send.
2025-08-24 13:50:21.106677-0400 0x2cd9     Info        0x3d1c4              423    0    remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Got back from MDM: 200
2025-08-24 13:50:21.172921-0400 0x2cd9     Info        0x3d1c4              423    0    remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Successfully saved server tokens
2025-08-24 13:50:21.180791-0400 0x302d     Info        0x3d1c3              423    0    remotemanagementd: [com.apple.remotemanagementd:client] Sync  only if needed finished

——————————————————————————————————————–
Log      – Default:          6, Info:                7, Debug:             0, Error:          0, Fault:          0
Activity – Create:           0, Transition:          0, Actions:           0
username@ZHW4T3TFTH ~ % 

在通过搜索 com.apple.remotemanagementd 子系统返回的数据中，子系统日志条目包含几个类别：

XPCListenerDelegate
client
mdmConduit

这些类别在返回的日志条目中显示在 com.apple.remotemanagementd 子系统列表之后，如下所示：

1
2
3


com.apple.remotemanagementd:XPCListenerDelegate
com.apple.remotemanagementd:client
com.apple.remotemanagementd:mdmConduit

如果我们想要更细粒度地搜索统一系统日志，仅查找过去十分钟内与日志记录子系统的特定类别相关的日志，可以使用以下命令通过以下谓词进行搜索：

子系统：com.apple.remotemanagementd
类别：mdmConduit

1

/usr/bin/log show --predicate 'subsystem=="com.apple.remotemanagementd" && category=="mdmConduit"' --info --last 10m

这将仅返回那些同时匹配 com.apple.remotemanagementd 子系统和 mdmConduit 类别的日志条目：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


username@ZHW4T3TFTH ~ % sudo /usr/bin/log show --predicate 'subsystem=="com.apple.remotemanagementd" && category=="mdmConduit"' --info --last 10m

Password:
Filtering the log data using "subsystem == "com.apple.remotemanagementd" AND category == "mdmConduit""
Skipping debug messages, pass --debug to include.

Timestamp                       Thread     Type        Activity             PID    TTL  
2025-08-24 13:50:21.106677-0400 0x2cd9     Info        0x3d1c4              423    0    remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Got back from MDM: 200
2025-08-24 13:50:21.172921-0400 0x2cd9     Info        0x3d1c4              423    0    remotemanagementd: [com.apple.remotemanagementd:mdmConduit] Successfully saved server tokens

——————————————————————————————————————–
Log      – Default:          0, Info:                8, Debug:             0, Error:          0, Fault:          0
Activity – Create:           0, Transition:          0, Actions:           0
username@ZHW4T3TFTH ~ % 

macOS Sequoia 系统日志搜索：使用子系统和类别谓词的高级技巧

本文详细介绍了如何在macOS Sequoia中使用log命令的子系统(subsystem)和类别(category)谓词来精确搜索统一系统日志，包含具体命令示例和实际输出结果分析，帮助管理员更高效地筛选日志信息。

在 macOS Sequoia 中使用子系统和类别谓词搜索统一系统日志