Help

parsing ASL (Apple System Log) files for error messages

gabester
Contributor III

Posted on ‎11-04-2016 08:49 AM

I can view them in console one at a time. But I need to parse my fleet for a specific error that seems to only be reported in a daily asl file... I had initially thought this would be an easy lift to just do a unix style cat files | grep ERRORMESSAGE as an Extension Attribute to determine how many machines in my fleet might be impacted.

Then I discovered that asl files are binary encoded and I'm ramping up the learning curve on how to deal with them... But I'd rather not roll my own bespoke analyzer if someone else has already done the work or if I've just remained oblivious to a built-in Apple tool.

Example of the output I can see from a single file, say /var/log/powermanagement/2016.11.02.asl:

Nov 2 11:21:05 localhost powerd[60] <Notice>: Sleep Failure [code:0x14006C00]:
Nov 2 15:37:33 localhost powerd[60] <Notice>: Sleep Failure [code:0x14006C00]:
Nov 2 21:52:12 MYHOSTNAM powerd[60] <Notice>: Sleep Failure [code:0x14006C00]:

It looks like maybe I might be able to do something with syslog?

0 Kudos
2 REPLIES 2

gabester
Contributor III

Posted on ‎11-07-2016 11:03 AM

I'm surprised to see that I've either a) stumped jamfnation or b) been holding it wrong... :-)
Update on my end, to solve my problem I made the equivalent of a hammer available on self service that nukes a number of settings that may be responsible for the issue (Mac shutting down without saving a proper sleepimage and/or failing to restore the previous state for users) so that users can get back to normal functionality while I troubleshoot for the root cause.

0 Kudos

Look
Valued Contributor III

Posted on ‎11-07-2016 12:03 PM 

syslog -f /var/log/powermanagement/2016.10.28.asl

will echo to terminal
Then pipe it to grep or awk with a tail to get the last one.

syslog -f /var/log/powermanagement/2016.10.28.asl | awk '/Sleep Failure/' | tail -n 1
0 Kudos