From 92864d4a8abfe467c49a7917946b5c16286a7f26 Mon Sep 17 00:00:00 2001
From: Sean Wheeler <sean.wheeler@microsoft.com>
Date: Thu, 29 Aug 2024 15:47:46 -0500
Subject: [PATCH] Update logging information for macOS

---
 .../About/about_Logging_Non-Windows.md        | 104 +++++++-----------
 .../About/about_Logging_Non-Windows.md        | 104 +++++++-----------
 .../About/about_Logging_Non-Windows.md        | 104 +++++++-----------
 3 files changed, 123 insertions(+), 189 deletions(-)

diff --git a/reference/7.2/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md b/reference/7.2/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
index 044f26db63d1..ffccd96bb943 100644
--- a/reference/7.2/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
+++ b/reference/7.2/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets.
 Locale: en-US
-ms.date: 01/03/2024
+ms.date: 08/29/2024
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging_non-windows?view=powershell-7.2&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging Non-Windows
@@ -10,6 +10,7 @@ title: about Logging Non-Windows
 # about_Logging_Non-Windows
 
 ## Short description
+
 PowerShell logs internal operations from the engine, providers, and cmdlets.
 
 ## Long description
@@ -279,52 +280,20 @@ log file named `powershell.log`.
 ## Viewing PowerShell log data on macOS
 
 PowerShell logs to Apple's unified logging system, a feature of macOS that
-allows for the collection and storage of system and application logs in a single
-centralized location.
-
-Apple's unified logging system stores log messages in binary format. Use the
-Console app or log tool to query the unified logging system for PowerShell
-entries.
-
-### Viewing PowerShell log data in the Console application on macOS
-
-The **Console** application on macOS is a utility that provides a graphical user
-interface for viewing log data. The **Console** application is included with
-macOS by default and can be accessed by opening the **Utilities** folder in the
-**Applications** folder.
-
-Use the following steps to view PowerShell log data in the Console application
-on macOS:
-
-1. Search for the **Console** application and launch it.
-1. Select the Machine name under **Devices**.
-1. In the **Search** field, enter `pwsh` for the PowerShell main binary and
-   press <kbd>return</kbd>.
-1. Change the search filter from `Any` to `Process`.
-1. Click **Start**.
-1. Run `pwsh` to generate PowerShell information to log.
-
-The process ID for a running instance of PowerShell is stored in the `$PID`
-variable. Use the following steps to filter on a specific process instance of
-PowerShell in the **Console** application.
-
-1. Run an instance of `pwsh`.
-1. Run `$PID` in the instance of PowerShell started in the previous step to
-   determine its process ID.
-1. Enter the process ID for `pwsh` in the **Search** field and press
-   <kbd>return</kbd>.
-1. Change the search filter from `Any` to `PID`.
-1. Click **Start**.
-1. Generate PowerShell information to log from the instance of PowerShell
-   started in the first step.
+allows for the collection and storage of system and application logs in a
+single centralized location.
 
-For more information, see [view log messages in Console on Mac][08].
+Apple's unified logging system stores log messages in binary format. You must
+use the `log` tool to query the unified logging system for PowerShell log
+events. The PowerShell log events don't appear in the **Console** application
+on macOS. Console app is designed for the older _syslog-based_ logging that
+predates the unified logging system.
 
 ### Viewing PowerShell log data from the command line on macOS
 
 To view PowerShell log data from a command line on macOS, use the `log` command
 in the **Terminal** or other shell host application. These commands can be run
-from **PowerShell**, **Z shell** (**Zsh**), or **Bash**.
+from **PowerShell**, **ZShell**, or **Bash**.
 
 In the following example, the `log` command is used to show the log data on your
 system as it's occurring in realtime. The **process** parameter filters the log
@@ -333,9 +302,38 @@ running, the **process** parameter also accepts a process ID as its value. The
 **level** parameter shows messages at the specified level and below.
 
 ```powershell
-log stream --process pwsh --level info
+log stream --predicate "subsystem == 'com.microsoft.powershell'" --level info
 ```
 
+The `log show` command can be used to export log items. The `log show` command
+provides options for exporting the last `N` items, items since a given time, or
+items within a given time span.
+
+For example, the following command exports items since
+`9am on April 5, 2022`:
+
+```powershell
+log show --start "2022-04-05 09:00:00" --predicate "subsystem == 'com.microsoft.powershell'"
+```
+
+For more information, run `log show --help` to view the help for the `log show`
+command.
+
+You can also output the log data in JSON format, which allows you to convert
+the event data to PowerShell objects. The following example outputs the events
+in JSON format.The `ConvertFrom-Json` cmdlet is used to convert the JSON data
+to PowerShell objects are get stored in the `$logRecord` variable.
+
+```powershell
+log show --predicate "subsystem == 'com.microsoft.powershell'" --style json |
+    ConvertFrom-Json | Set-Variable logRecord
+```
+
+You may also want to consider saving the logs to a more secure location such as
+[Security Information and Event Management (SIEM)][08] aggregator. Using
+Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
+information, see [Generic SIEM integration][01].
+
 ### Modes and levels of PowerShell log data on macOS
 
 By default, the PowerShell subsystem logs info level messages to memory (mode)
@@ -357,25 +355,6 @@ PowerShell subsystem:
 sudo log config --subsystem com.microsoft.powershell --reset
 ```
 
-The `log show` command can be used to export log items. The `log show` command
-provides options for exporting the last `N` items, items since a given time, or
-items within a given time span.
-
-For example, the following command exports items since
-`9am on April 5 of 2022`:
-
-```powershell
-log show --info --start "2022-04-05 09:00:00" --process pwsh
-```
-
-For more information, run `log show --help` to view the help for the `log show`
-command.
-
-You may also want to consider saving the logs to a more secure location such as
-[Security Information and Event Management (SIEM)][09] aggregator. Using
-Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
-information, see [Generic SIEM integration][01].
-
 ## See also
 
 - For Linux **syslog** and **rsyslog.conf** information, refer to the Linux
@@ -393,5 +372,4 @@ information, see [Generic SIEM integration][01].
 [05]: about_PowerShell_Config.md#modulelogging
 [06]: about_PowerShell_Config.md#protectedeventlogging
 [07]: https://developer.apple.com/documentation/os/logging
-[08]: https://support.apple.com/guide/console/log-messages-cnsl1012/mac
-[09]: https://wikipedia.org/wiki/Security_information_and_event_management
+[08]: https://wikipedia.org/wiki/Security_information_and_event_management
diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
index 409742b3d9ea..2566605bee72 100644
--- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
+++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets.
 Locale: en-US
-ms.date: 01/03/2024
+ms.date: 08/29/2024
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging_non-windows?view=powershell-7.4&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging Non-Windows
@@ -10,6 +10,7 @@ title: about Logging Non-Windows
 # about_Logging_Non-Windows
 
 ## Short description
+
 PowerShell logs internal operations from the engine, providers, and cmdlets.
 
 ## Long description
@@ -279,52 +280,20 @@ log file named `powershell.log`.
 ## Viewing PowerShell log data on macOS
 
 PowerShell logs to Apple's unified logging system, a feature of macOS that
-allows for the collection and storage of system and application logs in a single
-centralized location.
-
-Apple's unified logging system stores log messages in binary format. Use the
-Console app or log tool to query the unified logging system for PowerShell
-entries.
-
-### Viewing PowerShell log data in the Console application on macOS
-
-The **Console** application on macOS is a utility that provides a graphical user
-interface for viewing log data. The **Console** application is included with
-macOS by default and can be accessed by opening the **Utilities** folder in the
-**Applications** folder.
-
-Use the following steps to view PowerShell log data in the Console application
-on macOS:
-
-1. Search for the **Console** application and launch it.
-1. Select the Machine name under **Devices**.
-1. In the **Search** field, enter `pwsh` for the PowerShell main binary and
-   press <kbd>return</kbd>.
-1. Change the search filter from `Any` to `Process`.
-1. Click **Start**.
-1. Run `pwsh` to generate PowerShell information to log.
-
-The process ID for a running instance of PowerShell is stored in the `$PID`
-variable. Use the following steps to filter on a specific process instance of
-PowerShell in the **Console** application.
-
-1. Run an instance of `pwsh`.
-1. Run `$PID` in the instance of PowerShell started in the previous step to
-   determine its process ID.
-1. Enter the process ID for `pwsh` in the **Search** field and press
-   <kbd>return</kbd>.
-1. Change the search filter from `Any` to `PID`.
-1. Click **Start**.
-1. Generate PowerShell information to log from the instance of PowerShell
-   started in the first step.
+allows for the collection and storage of system and application logs in a
+single centralized location.
 
-For more information, see [view log messages in Console on Mac][08].
+Apple's unified logging system stores log messages in binary format. You must
+use the `log` tool to query the unified logging system for PowerShell log
+events. The PowerShell log events don't appear in the **Console** application
+on macOS. Console app is designed for the older _syslog-based_ logging that
+predates the unified logging system.
 
 ### Viewing PowerShell log data from the command line on macOS
 
 To view PowerShell log data from a command line on macOS, use the `log` command
 in the **Terminal** or other shell host application. These commands can be run
-from **PowerShell**, **Z shell** (**Zsh**), or **Bash**.
+from **PowerShell**, **ZShell**, or **Bash**.
 
 In the following example, the `log` command is used to show the log data on your
 system as it's occurring in realtime. The **process** parameter filters the log
@@ -333,9 +302,38 @@ running, the **process** parameter also accepts a process ID as its value. The
 **level** parameter shows messages at the specified level and below.
 
 ```powershell
-log stream --process pwsh --level info
+log stream --predicate "subsystem == 'com.microsoft.powershell'" --level info
 ```
 
+The `log show` command can be used to export log items. The `log show` command
+provides options for exporting the last `N` items, items since a given time, or
+items within a given time span.
+
+For example, the following command exports items since
+`9am on April 5, 2022`:
+
+```powershell
+log show --start "2022-04-05 09:00:00" --predicate "subsystem == 'com.microsoft.powershell'"
+```
+
+For more information, run `log show --help` to view the help for the `log show`
+command.
+
+You can also output the log data in JSON format, which allows you to convert
+the event data to PowerShell objects. The following example outputs the events
+in JSON format.The `ConvertFrom-Json` cmdlet is used to convert the JSON data
+to PowerShell objects are get stored in the `$logRecord` variable.
+
+```powershell
+log show --predicate "subsystem == 'com.microsoft.powershell'" --style json |
+    ConvertFrom-Json | Set-Variable logRecord
+```
+
+You may also want to consider saving the logs to a more secure location such as
+[Security Information and Event Management (SIEM)][08] aggregator. Using
+Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
+information, see [Generic SIEM integration][01].
+
 ### Modes and levels of PowerShell log data on macOS
 
 By default, the PowerShell subsystem logs info level messages to memory (mode)
@@ -357,25 +355,6 @@ PowerShell subsystem:
 sudo log config --subsystem com.microsoft.powershell --reset
 ```
 
-The `log show` command can be used to export log items. The `log show` command
-provides options for exporting the last `N` items, items since a given time, or
-items within a given time span.
-
-For example, the following command exports items since
-`9am on April 5 of 2022`:
-
-```powershell
-log show --info --start "2022-04-05 09:00:00" --process pwsh
-```
-
-For more information, run `log show --help` to view the help for the `log show`
-command.
-
-You may also want to consider saving the logs to a more secure location such as
-[Security Information and Event Management (SIEM)][09] aggregator. Using
-Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
-information, see [Generic SIEM integration][01].
-
 ## See also
 
 - For Linux **syslog** and **rsyslog.conf** information, refer to the Linux
@@ -393,5 +372,4 @@ information, see [Generic SIEM integration][01].
 [05]: about_PowerShell_Config.md#modulelogging
 [06]: about_PowerShell_Config.md#protectedeventlogging
 [07]: https://developer.apple.com/documentation/os/logging
-[08]: https://support.apple.com/guide/console/log-messages-cnsl1012/mac
-[09]: https://wikipedia.org/wiki/Security_information_and_event_management
+[08]: https://wikipedia.org/wiki/Security_information_and_event_management
diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
index 83072dc80f0d..4bb766c45ec8 100644
--- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
+++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Logging_Non-Windows.md
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets.
 Locale: en-US
-ms.date: 01/03/2024
+ms.date: 08/29/2024
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging_non-windows?view=powershell-7.5&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging Non-Windows
@@ -10,6 +10,7 @@ title: about Logging Non-Windows
 # about_Logging_Non-Windows
 
 ## Short description
+
 PowerShell logs internal operations from the engine, providers, and cmdlets.
 
 ## Long description
@@ -279,52 +280,20 @@ log file named `powershell.log`.
 ## Viewing PowerShell log data on macOS
 
 PowerShell logs to Apple's unified logging system, a feature of macOS that
-allows for the collection and storage of system and application logs in a single
-centralized location.
-
-Apple's unified logging system stores log messages in binary format. Use the
-Console app or log tool to query the unified logging system for PowerShell
-entries.
-
-### Viewing PowerShell log data in the Console application on macOS
-
-The **Console** application on macOS is a utility that provides a graphical user
-interface for viewing log data. The **Console** application is included with
-macOS by default and can be accessed by opening the **Utilities** folder in the
-**Applications** folder.
-
-Use the following steps to view PowerShell log data in the Console application
-on macOS:
-
-1. Search for the **Console** application and launch it.
-1. Select the Machine name under **Devices**.
-1. In the **Search** field, enter `pwsh` for the PowerShell main binary and
-   press <kbd>return</kbd>.
-1. Change the search filter from `Any` to `Process`.
-1. Click **Start**.
-1. Run `pwsh` to generate PowerShell information to log.
-
-The process ID for a running instance of PowerShell is stored in the `$PID`
-variable. Use the following steps to filter on a specific process instance of
-PowerShell in the **Console** application.
-
-1. Run an instance of `pwsh`.
-1. Run `$PID` in the instance of PowerShell started in the previous step to
-   determine its process ID.
-1. Enter the process ID for `pwsh` in the **Search** field and press
-   <kbd>return</kbd>.
-1. Change the search filter from `Any` to `PID`.
-1. Click **Start**.
-1. Generate PowerShell information to log from the instance of PowerShell
-   started in the first step.
+allows for the collection and storage of system and application logs in a
+single centralized location.
 
-For more information, see [view log messages in Console on Mac][08].
+Apple's unified logging system stores log messages in binary format. You must
+use the `log` tool to query the unified logging system for PowerShell log
+events. The PowerShell log events don't appear in the **Console** application
+on macOS. Console app is designed for the older _syslog-based_ logging that
+predates the unified logging system.
 
 ### Viewing PowerShell log data from the command line on macOS
 
 To view PowerShell log data from a command line on macOS, use the `log` command
 in the **Terminal** or other shell host application. These commands can be run
-from **PowerShell**, **Z shell** (**Zsh**), or **Bash**.
+from **PowerShell**, **ZShell**, or **Bash**.
 
 In the following example, the `log` command is used to show the log data on your
 system as it's occurring in realtime. The **process** parameter filters the log
@@ -333,9 +302,38 @@ running, the **process** parameter also accepts a process ID as its value. The
 **level** parameter shows messages at the specified level and below.
 
 ```powershell
-log stream --process pwsh --level info
+log stream --predicate "subsystem == 'com.microsoft.powershell'" --level info
 ```
 
+The `log show` command can be used to export log items. The `log show` command
+provides options for exporting the last `N` items, items since a given time, or
+items within a given time span.
+
+For example, the following command exports items since
+`9am on April 5, 2022`:
+
+```powershell
+log show --start "2022-04-05 09:00:00" --predicate "subsystem == 'com.microsoft.powershell'"
+```
+
+For more information, run `log show --help` to view the help for the `log show`
+command.
+
+You can also output the log data in JSON format, which allows you to convert
+the event data to PowerShell objects. The following example outputs the events
+in JSON format.The `ConvertFrom-Json` cmdlet is used to convert the JSON data
+to PowerShell objects are get stored in the `$logRecord` variable.
+
+```powershell
+log show --predicate "subsystem == 'com.microsoft.powershell'" --style json |
+    ConvertFrom-Json | Set-Variable logRecord
+```
+
+You may also want to consider saving the logs to a more secure location such as
+[Security Information and Event Management (SIEM)][08] aggregator. Using
+Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
+information, see [Generic SIEM integration][01].
+
 ### Modes and levels of PowerShell log data on macOS
 
 By default, the PowerShell subsystem logs info level messages to memory (mode)
@@ -357,25 +355,6 @@ PowerShell subsystem:
 sudo log config --subsystem com.microsoft.powershell --reset
 ```
 
-The `log show` command can be used to export log items. The `log show` command
-provides options for exporting the last `N` items, items since a given time, or
-items within a given time span.
-
-For example, the following command exports items since
-`9am on April 5 of 2022`:
-
-```powershell
-log show --info --start "2022-04-05 09:00:00" --process pwsh
-```
-
-For more information, run `log show --help` to view the help for the `log show`
-command.
-
-You may also want to consider saving the logs to a more secure location such as
-[Security Information and Event Management (SIEM)][09] aggregator. Using
-Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
-information, see [Generic SIEM integration][01].
-
 ## See also
 
 - For Linux **syslog** and **rsyslog.conf** information, refer to the Linux
@@ -393,5 +372,4 @@ information, see [Generic SIEM integration][01].
 [05]: about_PowerShell_Config.md#modulelogging
 [06]: about_PowerShell_Config.md#protectedeventlogging
 [07]: https://developer.apple.com/documentation/os/logging
-[08]: https://support.apple.com/guide/console/log-messages-cnsl1012/mac
-[09]: https://wikipedia.org/wiki/Security_information_and_event_management
+[08]: https://wikipedia.org/wiki/Security_information_and_event_management