wake reason - syslog location?

[chris5280]

I'm running OSX 10.13.3. I understand that if I run the following command in terminal I will get the wake reason for my machine.

log show --style syslog | fgrep "Wake reason"

Currently when I run the above command in terminal it gives me information dating back to 2/17/18. I have cleared all data in my log files, including: private/var/log; user/Library/Logs; Macintosh HD/Library/Logs - therefore it's not pulling from any of those locations. I would have thought the wake reason would have been contained in the system.log file. But clearly it's not, since even after deleting that file and rebooting, the above command still continues to list information dating back to 3 weeks ago and the system.log file only contains data from the time the file was re-created.

Can someone please explain where this information is being pulled from? Is there a specific log file with this information? Or is it buried somewhere in an ASL database file? Or put another way, what syslog is the above command searching to return the wake reason (knowing it's not any of the files references above, including system.log).

Thank you.

 

[chris5280]

Update/answer: syslog files are now part of Unified Logging, stored here:

/var/db/diagnostics/
/var/db/uuidtext/

reference here for more info:

https://eclecticlight.co/2017/09/23...olves-more-persistent-and-a-valuable-log-log/
https://www.mac4n6.com/blog/2016/11...orensic-artifacts-introducing-unified-logging
https://developer.apple.com/documentation/os/logging?language=occ

Use terminal and the "log collect" command to collect records and export them to disk. Use "log show" to review. Must be logged in as root in terminal.

Example:
log collect --start "2018-03-05" --output /Users/username/desktop/mylogs.logarchive
log show /Users/username/desktop/mylogs.logarchive

Finally, to narrow down wake reason search, use date commands:
log show --style syslog --start "2018-03-07" | fgrep "Wake reason"