Previous shutdown cause in Sierra

Discussion in 'Mac Programming' started by nelly22, Oct 17, 2016.

  1. nelly22 macrumors 6502

    Joined:
    Sep 29, 2009
    #1
    This works in El Capitan but fails in Sierra. Why?

    Code:
    do shell script "grep \"Previous shutdown cause\" /var/log/system.log"
     
  2. Sciuriware macrumors 6502

    Sciuriware

    Joined:
    Jan 4, 2014
    Location:
    Gelderland
    #2
    I checked that the file was readable to me: it is.
    But it is rw-r----- with group admin: are you member of group admin?
    ;JOOP!
     
  3. nelly22 thread starter macrumors 6502

    Joined:
    Sep 29, 2009
    #3
    My user is listed in Users & Groups as Admin.

    I think the problem is that in Sierra there is not "Previous shutdown cause" in that log at all. I can use my above code and search for instance "boot" and it gets many hits.

    So the questions is, how to find out what was the cause for previous shutdown?
     
  4. Sciuriware macrumors 6502

    Sciuriware

    Joined:
    Jan 4, 2014
    Location:
    Gelderland
    #4
    Well, if it is recorded at all ..... do shutdown and grep the keyword in any log in that directory.
    Then again, most of us are only interested in crash-causes, so ... may be only those are recorded from now on.
    From time to time APPLE changes its mind but doesn't let us know.
    Example: compare the output of "ls -ld /Volumes" between El Capitan and Sierra.
    ;JOOP!
     
  5. nelly22 thread starter macrumors 6502

    Joined:
    Sep 29, 2009
    #5
    I can't find it anywhere if i search /var/log/ directory.
     
  6. Sciuriware macrumors 6502

    Sciuriware

    Joined:
    Jan 4, 2014
    Location:
    Gelderland
    #6
    I searched all user readable *.log on my system and I found 2 files that contained the word "shutdown",
    although not exactly what you were looking for:
    /private/var/log/system.log
    /private/var/log/install.log
    The latter seems to describe the Sierra installation.
    ;JOOP!
     
  7. nelly22 thread starter macrumors 6502

    Joined:
    Sep 29, 2009
    #7
    Thanks. So there is no way to get this information?
     
  8. Sciuriware macrumors 6502

    Sciuriware

    Joined:
    Jan 4, 2014
    Location:
    Gelderland
    #8
    Never say no, there must be something, may be NOT in the files we know.
    Must be a well hidden secret as nobody else jumped into the thread.
    You might ask Tim Cook himself for a try.
    ;JOOP!
     
  9. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    Location:
    Sailing beyond the sunset
    #9
    Exactly how did you do the search? What commands? What files were looked in?
    Be specific. Post the exact commands.


    If I were trying to find shutdown info in logs, I'd start with a test case.
    That is, perform a shutdown, then start the machine and look through its logs.

    It's just basic detective work, done by purposely causing the event to happen (shutdown), then looking through the evidence (logs) that exist from around the known time of the event.

    Example steps:
    1. Note the current time and date. Store in a text file.
    2. Shut down the computer.
    3. Wait 5 minutes.
    4. Start the computer.
    5. Using the day and hour from step #1, use 'grep' to search all the logs in /var/log.
    6. Once you find the day and hour in the right log, find the minute, then see what got logged.
    7. Use Console.app to check various logs around the time of the shutdown.

    The main idea in all of this is to find out what's actually being logged, if anything, before the shutdown in Sierra. Once you find log entries from around the right time, you can see what text they contain. Then you can decide what goes into the AppleScript command.

    There's a possibility that plain text log files used in earlier OS versions may have been eliminated or replaced by database files in Sierra. You can begin investigating this by using Console.app instead of 'grep' in Terminal. If Console.app can display a log, but grep can't search a text file, then that suggests the log in question is no longer a plain text file.

    #6 can use the 5-minute gap of step 3 to decide whether a logged text came before the shutdown or after. There may be additional text in the log about the startup.

    #5 might take some creative thinking, because it may need to adapt to the format of different log files. Also, multiple log files might contain useful text from before the shutdown. You'll have to look at all of them that have log entries around the time of the shutdown.
     
  10. nelly22 thread starter macrumors 6502

    Joined:
    Sep 29, 2009
    #10
    Thanks for long answer.

    I tried your 5 minute test and i can't find anything usable. But then i'm not unix/logs expert at all.

    I can't remember exact grep code i used but i found it from net and it was some thing like this:

    Code:
    do shell script "grep -r 'shutdown' /var/log"
     
  11. chown33, Oct 20, 2016
    Last edited: Oct 20, 2016

    chown33 macrumors 604

    Joined:
    Aug 9, 2009
    Location:
    Sailing beyond the sunset
    #11
    We can't see your screen, so we don't know what you saw that you concluded was unusable.

    If you want us to look at the results, you'll have to post them.


    Copy and paste this exact command into a Terminal window:
    Code:
    grep -ri shutdown /var/log >~/Shutdowns.txt
    The output will be in the file "Shutdowns.txt" in your home folder.

    If you want us to see the output, post it.

    If the output is more than about 20KB, upload the file.
    If it's less, copy and paste it into a post using CODE tags.


    EDIT:

    Also post the output from this Terminal command:
    Code:
    syslog | grep -i shutdown >~/Sys-shutdowns.txt
    The output will be in the file "Sys-shutdowns.txt" in your home folder.

    This is one of the logs that's been converted from a plain text file to a system database. Read the man page for the 'syslog' command to learn what the command can do.

    Read the man page for asl(3) for the library functions that operate on this log:
    https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html
     
  12. nelly22 thread starter macrumors 6502

    Joined:
    Sep 29, 2009
    #12
    Code:
    home:~ Nelly$ grep -ri shutdown /var/log
    grep: /var/log/asl/2016.10.15.U0.asl: Permission denied
    grep: /var/log/asl/2016.10.17.U0.asl: Permission denied
    grep: /var/log/asl/2016.10.18.U0.asl: Permission denied
    grep: /var/log/asl/2016.10.19.U0.asl: Permission denied
    grep: /var/log/com.apple.revisiond: Permission denied
    Binary file /var/log/DiagnosticMessages/2016.10.12.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.13.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.14.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.15.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.16.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.17.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.18.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.19.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.20.asl matches
    Binary file /var/log/DiagnosticMessages/2016.10.21.asl matches
    /var/log/install.log:May 17 10:17:42 MacBook-Pro OSInstaller[446]: Detected user may have force-shutdown the machine.
    /var/log/install.log:Oct 12 01:24:36 MacBook-Pro OSInstaller[480]: Detected user may have force-shutdown the machine.
    /var/log/opendirectoryd.log.1:2016-10-20 11:50:34.703499 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    /var/log/opendirectoryd.log.2:2016-10-20 09:04:19.082260 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    /var/log/opendirectoryd.log.3:2016-10-20 00:43:04.755314 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    /var/log/opendirectoryd.log.4:2016-10-18 23:43:05.041394 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    /var/log/opendirectoryd.log.5:2016-10-18 03:23:07.244421 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    /var/log/opendirectoryd.log.6:2016-10-17 03:43:04.821774 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    Binary file /var/log/opendirectoryd.log.7 matches
    /var/log/opendirectoryd.log.8:2016-10-15 00:54:04.634760 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    /var/log/opendirectoryd.log.9:2016-10-14 06:47:02.741555 EEST - AID: 0x0000000000000000 - Starting shutdown process...
    grep: /var/log/SleepWakeStacks.bin: Permission denied
    
    home:~ Nelly$ syslog | grep -i shutdown
    NOTE:  Most system logs have moved to a new logging system.  See log(1) for more information.
     
  13. Sciuriware macrumors 6502

    Sciuriware

    Joined:
    Jan 4, 2014
    Location:
    Gelderland
    #13
    Almost the same output as I got on Sierra 10.12
    ;JOOP!
     
  14. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    Location:
    Sailing beyond the sunset
    #14
    All the lines for Binary file /var/log/DiagnosticMessages/* say the file contains a match. Read the man page for 'grep' for details. Find the word "binary" for an explanation of what grep does when it finds a binary file.

    The ".asl" suffix strongly suggests those files are ASL formatted logs. The 'syslog' command should be able to list them. See its man page.

    The NOTE message tells you about the new logging system. It also suggests which man page to read.

    The man page for this new logging system doesn't appear to be online at Apple. So I can't point you to it.

    To read its man page in Terminal:
    Code:
    man 1 log

    I don't have Sierra installed here. I'm not going to install it just to search its logs. So if you can't work out a way to proceed from here, I won't be able to give any more help, unless it happens to be something that works on an OS I have here.
     

Share This Page