You can start reviewing the macOS Unified Logs using a predicate filter. You can also search for entries that contain a string like private>. In addition, you can also look for log entries created by mDNSResponder, a program that generates entries for DNS lookups. You can use this information to troubleshoot unexpected system restarts and kernel panics.
Troubleshooting unexpected system restarts and kernel panics
If you are having unexpected system restarts or kernel panics, there are a few things you can do to get your Mac up and running again. If you are looking for a quick fix, you can try resetting your Mac or reinstalling the system. But if you want to go the more permanent route, you can check your Mac’s logs for clues.
First, you can try disabling startup items and login items. If you disable them, your Mac will restart. But if you don’t have an administrator password, you may need to power it off and on again.
Next, you can use the Console app to gather data on your system. You can find the app in the Applications folder or Utility folder. You can also search for it in Spotlight.
If you are experiencing a macOS panic, it may cause by a third-party kernel extension. If you have an external device attached to your Mac, you can use the Console to see what it is doing.
Searching for entries that contain the string private>
If you’ve spent any amount of time browsing the macOS logs you’ve undoubtedly noticed the aforementioned “private” string. While the name might make you nervous, the resulting output can provide useful tidbits, namely, timestamps of system restarts, which are especially helpful if you’re dealing with a kernel panic. Fortunately, the log itself can queried to get at the heart of the issue.
Apple has been proactive in its approach to privacy, which is why you’ll find that many of the entries mentioned above contain the aforementioned “private.” As a result, it’s not always easy to get a handle on what’s going on in the background. However, it’s possible, if you’re willing to devote a little extra effort to the task.
To get the full effect, you’ll have to repurpose your favorite terminal command and delve into the Mac OS X logging APIs. Luckily, you’ll greeted by a swarm of helpful tools. For starters, there’s the log itself, which can sort by time zone to narrow down your search. If you’re interested in the nitty gritty of the logging process, the SysDiagnose log archive can also be a useful ally.
Predicate filters for macOS Unified Logs
Using Predicate Filters to Review macOS Unified Logs is one way to narrow down the data to something manageable. However, a common challenge is that the Unified Logs generate a large amount of data, so a forensic analyst has to be familiar with the system to effectively filter it.
A forensic analyst can use Apple provided tools to analyze the log, or commercial tools to operationalize the data. These tools can help an investigator get a clear view of what’s going on.
Predicate Filters allow an analyst to isolate specific messages or artifacts. These tools can output a log of software updates that initiated by an MDM solution, or a log of a DNS lookup that performed by a process.
While using these predicates, it’s important to note that a single predicate can only be set to one option. This means that a forensic analyst may need to tweak the filter to ensure it provides the results they want.
mDNSResponder generates log entries for DNS lookups by processes
The mDNSResponder component in macOS is one of the most verbose logging sources available. It generates log entries for DNS lookups by processes. This log can view with a simple command.
mDNSResponder is the system-wide Unicast DNS resolver that runs on Mac OS X. The component is part of Apple’s Radar and tracks bugs that may affect the product. It also handles Multicast DNS queries and responses. You can add StrictUnicastOrdering to the mDNSResponder Launch Daemon plist to force it to always use proper order when processing Multicast DNS queries.
The DNS cache is a temporary database of records and information about previous DNS lookups. It invoked every time you enter a URL or click a hyperlink. If you change DNS servers, it’s important to flush your cache. You can do this with the dscacheutil command, which only works on macOS Sierra and El Capitan.
The SRV record is the second part of the response to a DNS query. It is a rrtype value of 33, and included in the Answer Section of the DNS response.