You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: KonKrypton
KonKrypton Author
User level: Level 1
71 points

Sierra firewall log is empty

I've been doing some work with my ability to access my Mac remotely (via VNC or just retrieving files with SFTP). After installing Sierra, I was wanting to check something in the firewall log, only to find that the log file is empty. This doesn't seem right, given that I have open ports and I know I was being port scanned within the last 24 hours. The log file shows it was created yesterday around 4pm, when I installed Sierra.


Any thoughts appreciated, thanks.

Mac mini, macOS Sierra (10.12), 250GB SSD + 1 TB HD = Fusion Drive

Posted on Sep 21, 2016 11:47 AM

Reply
3 replies
User profile for user: fivenotrump
fivenotrump
User level: Level 1
28 points

Nov 3, 2016 4:21 AM in response to KonKrypton

I have tried the new Console.app and log(1) for likely strings without success. I have two empty files in /var/log – alf.log and appfirewall.log. There is an entry in /etc/asl.log as there was pre-Sierra. In /usr/libexec/ApplicationFirewall there is a promising looking daemon called appfwloggerd which is not running. There are com.apple.alf.plist files in that directory and also in /Library/Preferences. Both of these have loggingenabled=1 and loggingoption=0. I've not tried changing the latter...

Reply
User profile for user: fivenotrump
fivenotrump
User level: Level 1
28 points

Nov 26, 2016 3:13 PM in response to fivenotrump

later experiments


check logging is on (should be):

/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode

check logging option:

/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt

mine said 'throttled', so:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail


check logging config for subsystem:

sudo log config --status --subsystem com.apple.alf

likely says "Mode for 'com.apple.alf' INFO PERSIST_DEFAULT" so:

sudo log config --mode "persist:info" --subsystem com.apple.alf


now use log(1) like

log show --predicate 'subsystem == "com.apple.alf"' --info --last 1h


I do get some log entries when expected but they all have the same useful message "<private>"

Reply

Sierra firewall log is empty

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up