You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level 1
20 points

Firewall logging enabled, but not recording

I have my firewall set to stealth and I've also tried it on Block all.

I've confirmed that logging is enabled via the terminal commands,


/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

/usr/libexec/ApplicationFirewall/socketfilterfw —getlogginmode


However whenever I check the log file /var/log/appfirewall.log the files is always empty.


I have noticed that the modification date changes from time to time, is there anything else I need to do to correctly enable logging? Or is it possible that a certain program/setting/or even person is clearing the logs out before I get a chance to view them?


Thanks.

MacBook Air, iOS 10.1.1

Posted on Feb 2, 2017 1:27 AM

Reply
7 replies
User profile for user: Tesserax
Tesserax
User level: Level 10
152,188 points

Feb 3, 2017 9:55 AM in response to PoeticKinetics

Yes, I'm referring to the built-in OSX firewalls. Both appfirewall.log and also alf.log are always empty, even after I have enabled logging through terminal, via;

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

But maybe that isn't the correct command for the current OS?

I currently do not use ALF on my Mac, but use Vallum instead. However, there should still be traces of the ALF logs in the /var/log folder. Neither of the ones you mention were found in mine. (I am currently running macOS Sierra 10.12.3)


The "--setloggingmode on" is still the correct command AFAIK. The other option to modify the socketfilterpw.plist file would be "--setloggingopt: <throttled, brief, or detailed>. The default would be "throttled." I would suggest trying "detailed."


Not to worry about the correct Apple Support Communities area. I will ask the moderators to move this post to a more appropriate area: Mac OS & System Software

Reply
User profile for user: Tesserax
Tesserax
User level: Level 10
152,188 points

Feb 3, 2017 10:06 AM in response to PoeticKinetics

Correct me if I'm wrong but it is the ALF, Application Layer Firewall which is the one I'm looking for isn't it? Which should write to the file. var/log/appfirewall.log

Yes, we are talking about the same OS X / macOS application layer (or socket filter) firewall ... not the PF (packet filter) firewall ... and yes, I believe it should be writing logs to the /var/log folder when logging is enabled.

I've tested turning logging on and off via the following commands 'on a different machine' and it seems to have the desired effect of turning the logging on and off, and it writes to appfirewall.log.

Per chance, where logging was successful, were these pre-Sierra Macs?

Sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on


Sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail


I believe that I have the correct commands and am configuring the correct firewall, but on my system it doesn't seem to be writing to the log file at all, even when I read the current status and it says that logging is enabled.

I believe the correct logging options command should include a colon, as follows: --setloggingopt: detail


Again, I'm running Sierra and I could not find any ALF logs in the /var/log folder. The only thing that comes to mind is System Integrity Protection (SIP) has been enabled by default with Sierra. Whether this has anything with the firewall logs I am not sure. I haven't tried disabling SIP to see if it would make any difference.

Reply
User profile for user: Tesserax
Tesserax
User level: Level 10
152,188 points

Feb 2, 2017 8:57 AM in response to PoeticKinetics

By "firewall" are you referring to either or both of the two OS X / macOS software firewalls: ALF (application), PF (network or packet filter)?


Both are disabled by default. ALF is administered via System Preferences > Security & Privacy > Firewall Options... OR via Terminal commands. On the other hand, PF is administered (natively) only via Terminal commands.


Ref:

Reply
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level 1
20 points

Feb 2, 2017 8:08 PM in response to Tesserax

Thanks, I will review the links you posted.


Yes, I'm referring to the built-in OSX firewalls. Both appfirewall.log and also alf.log are always empty, even after I have enabled logging through terminal, via;

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

But maybe that isn't the correct command for the current OS? Either way, I will get onto your links. Cheers.


(Sorry about posting in the incorrect forum section, there was a glitch when posting and it wouldn't let me select any other category.)

Reply
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level 1
20 points

Feb 3, 2017 8:38 AM in response to Tesserax

Correct me if I'm wrong but it is the ALF, Application Layer Firewall which is the one I'm looking for isn't it? Which should write to the file. var/log/appfirewall.log


I've tested turning logging on and off via the following commands 'on a different machine' and it seems to have the desired effect of turning the logging on and off, and it writes to appfirewall.log.


Sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on


Sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail


I believe that I have the correct commands and am configuring the correct firewall, but on my system it doesn't seem to be writing to the log file at all, even when I read the current status and it says that logging is enabled.


I've even tried unloading and reloading the firewall, but still no joy.

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist


Does anyone else have any tips?

Reply
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level 1
20 points

Feb 4, 2017 4:58 AM in response to Tesserax

Thanks I might look into disabling SIP to test and see if it works, but I don't want to leave SIP off, so that it can do what it's designed to do and protect the system.


I've had the issue with the firewall logging since the first time I checked which would've been a year or so ago now.

I'm wondering if it may have something to do with permissions set for the log files maybe?


I've also set up PF now using a gui called IceFloor. Again the log file doesn't seem to be created at all. However I can view the logging life as it's happening in terminal. So the firewall is working and blocking network traffic.


I'm unsure if appfirewall.log needs to be configured in syslog.conf or asl.conf at all? Currently it's not listed.

I've found that rc.conf has the following lines in it.



# Facility com.apple.alf.logging gets saved in appfirewall.log

? [= Facility com.apple.alf.logging] file appfirewall.log file_max=100M all_max=500M


But it also has the following lines in the conf file

# ignore "internal" facility

? [= Facility internal] ignore


I also don't have an /var/log/auth.log file anywhere on my system. I believe this file is meant to log authorisations and failures for services such as SSH.


There's now a number of important log files which I don't have access to, whether it's due to bad configuration (fresh install of El Capitan only 2 weeks), or worse someone tampering with my system?


It's got me baffled, and a bit concerned.

Reply

Firewall logging enabled, but not recording

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up