The 10.15.3-10.15.6 Update Erases Almost all /var/log files
UPDATE: 09/01/20 – The problem is still in the latest build of 10.15.6.
Think about the last issue time that you had an issue and needed to troubleshoot. Right off the bat, you would start looking over the logs to pinpoint the exact point of failure. After installing the Catalina 10.15.3 Update, it’s going to be a little harder to do that. Almost all the /var/log files have been erased and start over the minute after the 10.15.3 update finished installing.
10.15.3 Update Problems
This is my 4th article on 10.15.3 Combo Update issues. If you have not seen them yet, you can view them below.
- https://mrmacintosh.com/10-15-3-combo-security-updates-are-not-creating-backup-snapshots/
- https://mrmacintosh.com/catalina-10-15-3-update-reverts-custom-pam-d-sshd_config-settings/
- https://mrmacintosh.com/10-15-3-update-breaks-ad-domain-users-admin-sudo-access-fix-inside/
Howard Oakley over at eclecticlight.co has also been tracking multiple issues. He is focused on new 10.15.3 Time Machine Problems.
- https://eclecticlight.co/2020/02/12/time-machine-in-catalina-10-15-3-has-serious-bugs/
- https://eclecticlight.co/2020/02/01/pervasive-effects-of-the-catalina-10-15-3-update/
- https://eclecticlight.co/2020/02/06/orphaned-snapshots-a-growing-problem/
- https://eclecticlight.co/2020/02/05/errors-in-the-night-and-snapshot-problems/
Let’s take a closer look.
What the heck is going on here? Why would Apple delete important logs? This issue is most likely a bug in the combo update installer.
The test setup is pretty straight forward.
- Build out a fresh 10.15.2 system
- Verify system log creation times
- Create a custom .log file
- Verify 3rd Party Vendor Log times
- Update to 10.15.3
- Find that almost all /var/log files are erased.
Which log files are erased and which ones are spared?
Erased Log Files in /var/log
- System.log
- WiFi.log
- Jamf.log
- Alf.log
- fsck_apfs.log
- fsck_apfs_error.log
- Applefirewall.log
- Cups, Bluetooth, Powermanagement & Display Policy logs
Spared Log files in /var/log
- Install.log
- .gz and .bz System and wifi zipped backup files
All log files have the exact “Created” date and time when the 10.15.3 combo update was installing.
What can I do about this?
Let Apple know about this! Hopefully this can be fixed in 10.15.4!
Until then you probably want your log files. The best thing you can do for now is to run a Jamf policy that will backup your /var/log files. We install our updates with a Jamf policy.
Right before we kick off softareupdate -iaR we backup all /var/log files to a temporary directory. We put them back with a LaunchDaemon that kicks off after the combo update reboot.
I hope that these articles have helped you! If you have any questions, leave a comment below or Contact Me.
This absolutely killed me. We have several launchctl jobs that output to log files under /var/log/launch-agents, and the upgrade deleted that entire directory. Not only that, but because the directory no longer exists, the jobs were failing to run, which meant our Macs haven’t been backing up for months!
Upgraded from mohave to Big Sur and found all my log files are gone. And then I found this site. cry…..
Updated to 10.15.6 and lost all logs again. 🙁
Last time I make this mistake!
Fixed in 10.15.4???
Looks like another 6 week wait till we roll out Catalina, and we thought Mojave was bad for the enterprise.
James, I confirmed this is still happening in 10.15.4. 🙁