You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Sierra firewall log is empty

I've been doing some work with my ability to access my Mac remotely (via VNC or just retrieving files with SFTP). After installing Sierra, I was wanting to check something in the firewall log, only to find that the log file is empty. This doesn't seem right, given that I have open ports and I know I was being port scanned within the last 24 hours. The log file shows it was created yesterday around 4pm, when I installed Sierra.


Any thoughts appreciated, thanks.

Mac mini, macOS Sierra (10.12), 250GB SSD + 1 TB HD = Fusion Drive

Posted on Sep 21, 2016 11:47 AM

Reply
3 replies

Nov 3, 2016 4:21 AM in response to KonKrypton

I have tried the new Console.app and log(1) for likely strings without success. I have two empty files in /var/log – alf.log and appfirewall.log. There is an entry in /etc/asl.log as there was pre-Sierra. In /usr/libexec/ApplicationFirewall there is a promising looking daemon called appfwloggerd which is not running. There are com.apple.alf.plist files in that directory and also in /Library/Preferences. Both of these have loggingenabled=1 and loggingoption=0. I've not tried changing the latter...

Nov 26, 2016 3:13 PM in response to fivenotrump

later experiments


check logging is on (should be):

/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode

check logging option:

/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt

mine said 'throttled', so:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail


check logging config for subsystem:

sudo log config --status --subsystem com.apple.alf

likely says "Mode for 'com.apple.alf' INFO PERSIST_DEFAULT" so:

sudo log config --mode "persist:info" --subsystem com.apple.alf


now use log(1) like

log show --predicate 'subsystem == "com.apple.alf"' --info --last 1h


I do get some log entries when expected but they all have the same useful message "<private>"

Sierra firewall log is empty

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.