Capturing XCreds Logs

Created On
Last Updated On
byTimothy Perfitt
You are here:

XCreds logs in 2 different locations:

  1. /tmp/xcreds/xcreds.log
  2. The Library folder in the user’s home directory (~/Library/Logs/xcreds.log)

The log located in /tmp/xcreds/xcreds.log shows entries from the login window and the log in the user’s home directory shows log entries from the menu item app. By default, the logs contain on error messages. To enable debug logging, open Terminal and run:

sudo defaults write /Library/Preferences/com.twocanoes.xcreds showDebug -bool true

You may be prompted for your admin password after running the above command. Once the command is run, the logs will contain debug information, which may contain sensitive token and other information. To turn off debug logging:

sudo defaults write /Library/Preferences/com.twocanoes.xcreds showDebug -bool false

Debugging can also be turned on and off by setting the preference key showDebug in the configuration profile.

It is often helpful to search the XCreds log for information returned from the credentials provider to confirm which fields are made available to use in XCreds. For Active Directory this can be done by searching for the text AD Attributes. For other credentials providers this can be done by searching for the text tokenInfo.

Historical Logs

The log in /tmp/xcreds/xcreds.log is erased on reboot. If you need data further back or between specific dates and times, you can run the following command, replacing the “YYYY-MM-DD HH:MM:SS” with the time period you are looking for:

log show -start 'YYYY-MM-DD HH:MM:SS' -end 'YYYY-MM-DD HH:MM:SS' --predicate 'process=="XCreds" && eventMessage contains "XCREDS_LOG"'

For example, to see the log between 2025-08-01 10:30:00 and 2025-08-28 10:40:00:

log show -start '2025-08-01 10:30:00' -end '2025-08-28 10:40:00' --predicate 'process=="XCreds" && eventMessage contains "XCREDS_LOG"'

Output to File

To output the data to a file, add “> /path/to file” at the end of the command. For example, to output to a file /Users/Shared called xcreds.log:

log show -start '2025-08-01 10:30:00' -end '2025-08-28 10:40:00' --predicate 'process=="XCreds" && eventMessage contains "XCREDS_LOG"' > /Users/Shared/xcreds.log

Compressing

Before sending the log, it is always good to compress it since logs can be very large and can be compressed to a much smaller size. You can use the “Compress” command in the Finder on the file or use the zip command. For example, to compress the file in /Users/Shared/xcreds.log:

zip -j /Users/Shared/xcreds.log.zip /Users/Shared/xcreds.log

The file /Users/Shared/xcreds.log.zip will be created and can be shared more easily.

Tags: