Sweepfor Mac
Free Download

Mac maintenance

How to Use Console.app on Mac (a Practical Guide)

Console.app on Mac shows live logs from every process. Here's how to filter the noise, save useful searches, and use Console for real troubleshooting.

10 min read

The first time most people open Console.app, they last about five seconds before quitting. A wall of text scrolls by faster than anyone can read, full of cryptic process names and references to subsystems and frameworks they’ve never heard of. There’s no obvious way to turn the volume down. The “search” field doesn’t seem to do what searching should do.

Console.app is genuinely powerful — it’s how Apple engineers themselves debug — but its UI is built for people who already know what they’re looking for. Once you learn the filtering syntax and the few buttons that actually matter, it transforms from “incomprehensible chaos” to “the most useful diagnostic tool on macOS.”

Where Console Lives and What It Shows

Console.app is at /System/Applications/Utilities/Console.app on Sonoma+ (or /Applications/Utilities/Console.app on older macOS). When it opens, you see:

  • A sidebar listing your Mac, plus any iOS, iPadOS, or watchOS devices currently connected via USB
  • Under each device, a Crash Reports section
  • A main pane that streams live log entries from the selected source
  • A search bar at the top
  • A Now/Pause toggle

The default view is overwhelming because it shows every log message from every process at every level. The first thing to do is filter.

The Filter Syntax

Console.app’s search bar is more capable than it looks. Plain text searches across messages, but you can also use field-prefixed searches:

  • process:Safari — only entries from Safari
  • process:!Safari — everything except Safari
  • subsystem:com.apple.network — only network-related entries
  • category:cloudd — entries in the cloudd category
  • pid:421 — entries from process ID 421
  • sender:Spotlight — entries from a specific binary

You can combine these. To see all errors from the kernel:

process:kernel type:error

Type filters: type:default, type:info, type:debug, type:error, type:fault. The first two are noisy; the last two are usually what you want when troubleshooting.

For text in the message itself, just type the word:

process:Safari "page load"

Quotation marks let you search for phrases.

Saving Useful Searches

The Console toolbar has a “Save” button that captures your current filter as a saved search. You can name it and pin it to the sidebar.

Some saved searches worth creating:

  • “Crashes”type:fault OR type:error process:!cfprefsd process:!locationd (filters out the noisiest non-crash sources)
  • “My App”process:MyApp for whatever app you maintain or use heavily
  • “Network errors”subsystem:com.apple.network type:error
  • “Kernel”process:kernel type:error OR type:fault
  • “Wake”process:powerd for power management events

Once saved, they appear in the left sidebar and you can swap between them with one click.

Power users use SweepSweep handles all the cleanup that articles like this describe. Get Sweep free →

Live Streaming vs. Showing Old Logs

By default, Console shows the live stream — new entries appear as they happen. The “Pause” button at the top freezes the stream so you can scroll up without entries shifting under your cursor.

To search historical logs (not just what’s happened since you opened Console), check View → Show Log List in the menu bar. This adds a sidebar showing log archives — typically a “Now” entry plus a few previous “Sessions” or “Archives” representing earlier time ranges.

Click an archive to load entries from that period. You can then search within it the same way you’d search the live stream.

Crash Reports

The Crash Reports section in the sidebar is where Console’s value really shows up. Every crash, hang, kernel panic, and shutdown stall on your Mac generates a report here.

Each report has:

  • A header with the process name, version, OS version, and timestamp
  • An exception type (EXC_BAD_ACCESS, EXC_CRASH, EXC_RESOURCE)
  • A thread state showing which thread crashed and why
  • A backtrace showing the stack at the moment of crash
  • A list of loaded binaries

For an end user, the most useful info is at the top: the Application Specific Information field often has a human-readable summary of what went wrong.

For developers or anyone reporting a bug, the entire file is what matters. Right-click the report and choose “Show in Finder” to find the underlying .ips file (modern format) or .crash (older format), which you can attach to a bug report.

Tip: If an app keeps crashing, look at the most recent five reports. If they all show the same exception in the same library, the cause is consistent — usually a corrupt preference, a missing font, or an incompatible plug-in.

Hang Reports

Different from crashes: a hang is when an app stops responding for several seconds and the system samples its threads. The result is in the Crash Reports section as a .hang file (or shows up in /Library/Logs/DiagnosticReports/).

Hang reports are less detailed than crash reports but tell you what the unresponsive process was doing when sampled. Look for the call stack — if it’s blocked on file I/O, your disk might be slow. If it’s blocked on a network call, you’re waiting on the network. If it’s spinning in user code, the app has a bug.

Kernel Panic Logs

A kernel panic — when macOS itself crashes and forces a restart — generates a .panic file in /Library/Logs/DiagnosticReports/. These are tricky to read but the first 30 lines often tell the story.

Look for:

  • OS version — confirms which macOS version was running
  • Kernel version — the specific kernel build
  • Panicked task — what was running when the panic happened
  • Backtrace — the chain of calls leading to the panic

If you see references to a third-party kext (kernel extension) in the backtrace — for example, anything from a VPN, antivirus, or hardware driver — that’s almost certainly the cause. Apple’s macOS kernel itself rarely panics from its own code; it panics because something it’s holding is broken.

The Unified Log Behind Console

Everything in Console.app comes from the unified log, the same backing store accessed by the log command-line tool. Console is a GUI on top of log show and log stream. Anything you can do in Console, you can do in Terminal:

log stream --predicate 'process == "Mail"'

That gives you the same live feed Console shows when filtering for Mail. Console is friendlier for browsing; Terminal is friendlier for scripting and capturing output.

The unified log is also why old text-based Mac log files like /var/log/system.log are mostly empty now. Apple migrated almost everything into the unified log starting with macOS Sierra.

There’s a faster waySweep does this kind of cleanup automatically. Try Sweep free →

Specific Real-World Uses

A few troubleshooting scenarios where Console has a real edge:

“Why does my Mac wake up at random times?”

Filter for process:powerd. You’ll see entries describing wake events with reasons:

  • “Wake reason: USB” — a USB device drew power or sent a signal
  • “Wake reason: BT.HID” — a Bluetooth keyboard/mouse woke it
  • “Wake reason: Network (Bonjour)” — something on your network pinged it
  • “Wake reason: Lid Open”

If you see consistent wakes from Network events, it’s “Wake for Network Access” in Energy preferences doing its job — which you may want to turn off on a laptop on battery.

”My VPN keeps dropping”

Filter subsystem:com.apple.network plus the VPN app’s process name. You’ll see DNS lookups, route changes, and connection state transitions. Often the VPN’s logs alone don’t explain why it lost connectivity, but the unified log shows a network change happened (Wi-Fi flapped, DNS changed) right before the drop.

”An app launches and immediately quits”

Filter by the app’s process name and watch for crash signatures. If the launch attempt produces a sandbox violation, you’ll see an entry from sandboxd. If it’s a code-signing issue, the entry comes from taskgated or amfi.

”iCloud sync seems stuck”

Filter subsystem:com.apple.cloudd OR subsystem:com.apple.bird. The bird daemon is iCloud Drive specifically. You’ll see file uploads, downloads, and any errors with reachability or quota.

”Spotlight isn’t finding things”

Filter subsystem:com.apple.spotlight OR process:mds OR process:mds_stores. You’ll see indexing progress, errors, and skipped paths. Combine with mdutil -s / in Terminal to confirm indexing is enabled.

Limits of Console

Console doesn’t tell you everything. Specifically:

  • App-internal state — Console only sees what processes choose to log. An app that doesn’t log its operations is opaque.
  • Hardware-level events below the kernel — disk firmware, controller-level USB events, GPU driver guts. Some of this gets into the kernel log; much doesn’t.
  • What’s in <private> fields — Apple redacts private data by default. You can unredact with admin tools, but most users won’t.

For these, you fall back to specific tools: iostat and iotop for disk; nettop for network; powermetrics for energy and CPU.

Practical Workflow

A workflow that makes Console useful day to day:

  1. When something weird happens (crash, freeze, slow performance), open Console.
  2. Filter to roughly the time window. Use “Pause,” scroll back, and find the moment of trouble.
  3. Narrow the predicate by process or subsystem until the noise drops to something you can read.
  4. Look for error and fault entries first — Apple-flagged problems.
  5. Use the activity ID column to follow related entries across processes.
  6. If you find something useful, save the search.

That’s it. Most problems on macOS get diagnosed in Console without ever needing Terminal, third-party tools, or a developer’s help. The hardest part is just being willing to read the output instead of bouncing off the wall of text on first contact.

← Back to all guides