Add a table for the unified log on darwin #6904
Conversation
mike-myers-tob
added
macOS
macOS Big Sur
| {LESS_THAN_OR_EQUALS, NSLessThanOrEqualToPredicateOperatorType}, | ||
| {LIKE, NSLikePredicateOperatorType}}; | ||
|
|
||
| const std::map<std::string, std::string> columnToOSLogEntryProp = { |
There was a problem hiding this comment.
I'm having trouble finding docs on the object in question, but man logs also describes eventType, messageType, processImagePath, and senderImagePath. Do you think we care about any of those?
There was a problem hiding this comment.
the best place to find docs would probably be the entry for OSLogEntryLog. processImagePath and senderImagePath aren't exposed in this API. eventType might be something we can extract, I'll take a look, though I don't think so. messageType is the severity of the message when the event type is a log or trace event--I'm not sure it's exposed in this api either. I'll dig in.
There was a problem hiding this comment.
Something like this might work:
const char* aulLevelNames[] = {
[OSLogEntryLogLevelUndefined] = "undefined",
[OSLogEntryLogLevelDebug] = "debug",
[OSLogEntryLogLevelInfo] = "info",
[OSLogEntryLogLevelNotice] = "default",
[OSLogEntryLogLevelError] = "error",
[OSLogEntryLogLevelFault] = "fault",
};
if ([entry isKindOfClass:[OSLogEntryLog class]]) {
r["type"] = aulLevelNames[[(OSLogEntryLog*)entry level]];
} else if ([entry isKindOfClass:[OSLogEntryActivity class]]) {
r["type"] = "activity";
}
There was a problem hiding this comment.
I think this is slightly dangerous. If the set of logtypes change then this could fault. However, that seems unlikely. Can you use a C++ container to get this same effect, then you will except vs. fault.
…e position of the enumerator
GarretReece
force-pushed
the
garret/table/darwin_unified_log
branch
from
5a3a581
to
bc2040e
Compare
mike-myers-tob
added
the
ready for review
theopolis
removed
the
ready for review
|
I did some ad-hoc testing on macOS 11.2 and it works there also (previously was tested only on 10.15). If anyone would like to help with this PR, I see a few things to finish:
|
|
Much thanks to @GarretReece and @puffyCid on this, we can close this PR in favor of finishing the work in #7259 |
This code implements a virtual table for darwin that uses the OSLog framework to read and return entries from the unified system log. Prior versions of macOS did not have an api to access this data, necessitating an extension that invoked the
logutility. macOS 10.15 makes this no longer necessary.At the moment I've tested these changes only on a 10.15 vm. I'd be grateful to the community for feedback regarding building on earlier versions of macOS.
Closes #5760