Unified logging subsystems (com.apple.*) organize log messages by component. This index lists key subsystems for forensic analysis.
com.apple.{component}.{subcomponent}
Example: com.apple.siri.inference
# List all subsystems in archive
log show --archive system_logs.logarchive --style json 2>/dev/null | \
grep -o '"subsystem" *: *"[^"]*"' | sort | uniq -c | sort -rn
# Filter by subsystem
log show --archive system_logs.logarchive \
--predicate 'subsystem == "com.apple.springboard"'Transparency, Consent, and Control
- Permission decisions
- App authorization
- Privacy prompts
--predicate 'subsystem == "com.apple.TCC"'Security framework
- Keychain access
- Code signing
- Entitlements
Security daemon
- Key operations
- Certificate validation
Location services
- GPS/WiFi location
- Geofencing
- Significant location changes
Privacy accounting
- Data access logging
- Privacy reports
Apple Intelligence core
- AI orchestration
- Feature flags
- Model management
--predicate 'subsystem BEGINSWITH "com.apple.intelligence"'Siri umbrella
- Voice recognition
- Intent handling
- Suggestions
Siri ML inference
- On-device models
- Query processing
Photos ML
- Face detection
- Scene classification
- Object recognition
Photo analysis
- Image indexing
- Feature extraction
Spotlight search
- Content indexing
- Query handling
Parsec personalization
- Search ranking
- Suggestions
Behavioral intelligence
- Usage patterns
- Predictions
Duet scheduler
- Background task scheduling
- Power-aware execution
SpringBoard (Home screen)
- App launches
- Notifications
- UI state
--predicate 'subsystem == "com.apple.springboard"'UIKit framework
- UI events
- View lifecycle
Process lifecycle
- App states
- Memory management
- Background modes
Front-most app management
- Scene management
- Window server
Network framework
- Connections
- Protocols
WiFi
- Association
- Scanning
- Power state
Bluetooth
- Device pairing
- Connections
CoreWLAN
- WiFi management
Apple Push Service
- Push notifications
- Keep-alive
Identity Services
- iMessage
- FaceTime
- iCloud accounts
Core Data
- Database operations
- Migrations
SQLite
- Database queries
- Performance
CloudKit
- iCloud sync
- Records
iCloud services
- Sync state
- Account status
Kernel
- System calls
- Resource limits
XPC
- Inter-process communication
- Service connections
launchd
- Service management
- Job scheduling
Power management
- Sleep/wake
- Thermal management
I/O Kit
- Hardware drivers
- Device state
AVFoundation
- Audio/video playback
- Capture
Media services
- Audio routing
- Media sessions
Core Media
- Media pipelines
- Buffers
Phone/Cellular
- Calls
- SMS/MMS
Messages
- iMessage
- SMS relay
FaceTime
- Video calls
- Audio calls
Trial system
- Feature flags
- A/B experiments
- Rollouts
--predicate 'subsystem == "com.apple.trial"'| Priority | Subsystem | Use Case |
|---|---|---|
| Critical | com.apple.TCC | Permission analysis |
| Critical | com.apple.locationd | Location tracking |
| Critical | com.apple.springboard | User activity |
| High | com.apple.siri | Voice interactions |
| High | com.apple.biome | Behavior patterns |
| High | com.apple.intelligenceplatform | AI activity |
| High | com.apple.security | Security events |
| Medium | com.apple.runningboard | App lifecycle |
| Medium | com.apple.wifi | Network connections |
| Medium | com.apple.trial | Feature experiments |
--predicate 'subsystem == "com.apple.springboard"'--predicate 'subsystem BEGINSWITH "com.apple.siri"'--predicate 'subsystem IN {"com.apple.TCC", "com.apple.security"}'--predicate 'subsystem == "com.apple.security" AND messageType == error'--predicate 'subsystem == "com.apple.siri" AND eventMessage CONTAINS "intent"'- intelligence.md - Apple Intelligence subsystems
- siri.md - Siri subsystems
- ../analysis/common-queries.md - Query examples