Analyzing the printer spool on a Mac is actually easier than you might imagine. The default setup of a 10.4 and 10.5 Mac is to retain the printer job (CUPS) history in the /private/var/spool directory. If you decide to navigate there via the command line, you will notice on a Leopard system, the following directory structure:
Terminal view of /private/var/spool
The ‘cups’ directory is where the printer spool information will be found. You can’t simply change into this directory as it is owned by the user ‘root’ and you are likely not a part of the group ‘_lp’.
If you wish to see what is inside of this directory, you need to open a root shell as seen in the next example:
Terminal view of /private/var/spool/cups
Now you are looking at the contents of the ‘cups’ directory. We used the command ‘sudo sh’ to gain a shell that has root privileges and then executed the command to change to the ‘cups’ directory.
Notice the files inside. Each file is a previous print job file. Unless the user has changed the settings manually, these are files that date back to the setup of this Macintosh. CUPS offers a great way to look at this information. Try this on your own Macintosh right now.
Browse to this web page: http://localhost:631
If you are running CUPS, you should have opened a browser window with the following:
CUPS Home page on a Mac running Mac OS X 10.5.6
This is where a user can take more in-depth control of their printing system. This is also where we can look at printing history. Click on the “jobs” tab:
CUPS Jobs page on a Mac running Mac OS X 10.5.6
Notice the “Show All Jobs” button. If you click on this button, you will have a web page displayed showing you the contents of all of the files we saw in the Terminal. This time, the layout is clean and easily read.
If the Macintosh you are examining is serving as a print server, you will have a history of ALL print jobs that have been submitted to it including user names, dates and times.