Viewing Logs

Murus
megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Viewing Logs

Post by megumi » Thu Jan 08, 2015 8:15 am

UPDATE 4

Log rotation happened this morning. The manually edited /etc/newsyslog.conf file seems to have taken effect, because the new log file (as well as the archived files) all have the correct permissions (644).

Code: Select all

megumi$ cd /var/log
megumi$ ls -l pffirewall*
-rw-r--r--@ 1 root  admin  103785  8 Jan 07:55 pffirewall.log
-rw-r--r--@ 1 root  admin  292722  8 Jan 07:39 pffirewall.log.0.bz2
-rw-r--r--@ 1 root  admin  344886  6 Jan 14:23 pffirewall.log.1.bz2
-rw-r--r--@ 1 root  admin  368469  3 Jan 22:30 pffirewall.log.2.bz2
-rw-r--r--@ 1 root  admin  264281  2 Jan 12:37 pffirewall.log.3.bz2
The developer (hany) plans to release an update to fix the bug, so that Murus will use the permission setting 644 instead of 640 for /var/log/pffirewall.log. So, as far as the log viewing is concerned, all seems well.

One remaining mystery for me is why /etc/newsyslog.conf.BACKUP was absent on my system, when Murus expected it to be there.

hany
Posts: 483
Joined: Wed Dec 10, 2014 5:20 pm

Re: Viewing Logs

Post by hany » Thu Jan 08, 2015 4:52 pm

Hello megumi, nice to see that your logs are now ok.
I don't know why newsyslog.conf.BACKUP in not in your /etc directory. Did you install IceFloor on this Mac before installing Murus? And did you completely uninstall IceFloor before installing Murus?
Anyway file newsyslog.conf.BACKUP is created by Murus 1.0 when installing boot scripts. Or at least it should be. Murus creates also a backup of /etc/syslog.conf in /etc/syslog.conf.BACKUP.
These 2 .BACKUP files are used when uninstalling Murus or when uninstalling boot scripts from Murus menu bar. Original /etc/syslog.conf and /etc/newsyslog.conf are restored from .BACKUP files.
This is a wrong approach so we are changing it. We are going to release 1.0.1 later today or tomorrow, in order to fix all these issues. Murus 1.0.1 will not need nor create or expect to find any .BACKUP file for both syslog and newsyslog configuration files. Stay tuned :)

megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Viewing Logs

Post by megumi » Thu Jan 08, 2015 11:03 pm

Hello hany,

Thank you for your response.

Yes, I did have IceFloor (and WaterRoof before that) prior to installing Murus. I did not completely uninstall IceFloor before installing Murus, because I installed Murus to try it first. Subsequently I uninstalled IceFloor, using the uninstall command provided by IceFloor itself. After that, I installed the boot scripts again from Murus. I checked to see if /etc/syslog.conf.BACKUP exists on my hard drive.

Code: Select all

megumi$ cd /etc
megumi$ ls -l syslog.conf*
-rw-r--r--  1 root  wheel  176  8 Nov 18:51 syslog.conf
-rw-r--r--  1 root  wheel  176 24 Sep 10:00 syslog.conf~previous
As you can see, it doesn't, but I found /etc/syslog.conf-previous. From the creation date, it was clearly not created by Murus. I don't know what program made it.

I just downloaded and installed Murus 1.0.1. I uninstalled and installed the boot scripts, as well as saved the logging preference. Having checked the /etc directory, I see that Musus 1.0.1 created /etc/syslog.conf.BACKUP and /etc/newsyslog.conf.BACKUP. But the /etc/newsyslog.conf file correctly have 644 permission setting for /var/log/pffirewall.log.

Code: Select all

megumi$ ls -l syslog.conf*
-rw-r--r--@ 1 root  wheel  175  8 Jan 22:40 syslog.conf
-rw-r--r--@ 1 root  wheel   95  8 Jan 22:40 syslog.conf.BACKUP
-rw-r--r--  1 root  wheel  176 24 Sep 10:00 syslog.conf~previous

megumi$ ls -l newsyslog.conf*
-rw-r--r--@ 1 root  wheel  1380  8 Jan 22:40 newsyslog.conf
-rw-r--r--@ 1 root  wheel  1318  8 Jan 22:40 newsyslog.conf.BACKUP

megumi$ cat newsyslog.conf
# configuration file for newsyslog
# $FreeBSD: /repoman/r/ncvs/src/etc/newsyslog.conf,v 1.50 2005/03/02 00:40:55 brooks Exp $
#
# Entries which do not specify the '/pid_file' field will cause the
# syslogd process to be signalled when that log file is rotated.  This
# action is only appropriate for log files which are written to by the
# syslogd process (ie, files listed in /etc/syslog.conf).  If there
# is no process which needs to be signalled when a given log file is
# rotated, then the entry for that file should include the 'N' flag.
#
# The 'flags' field is one or more of the letters: BCGJNUWZ or a '-'.
#
# Note: some sites will want to select more restrictive protections than the
# defaults.  In particular, it may be desirable to switch many of the 644
# entries to 640 or 600.  For example, some sites will consider the
# contents of maillog, messages, and lpd-errs to be confidential.  In the
# future, these defaults may change to more conservative ones.
#
# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
/var/log/ftp.log			640  5	   1000	*     J
/var/log/hwmond.log			640  5	   1000	*     J
/var/log/ipfw.log			640  5	   1000	*     J
/var/log/lpr.log			640  5	   1000	*     J
/var/log/ppp.log			640  5	   1000	*     J
/var/log/wtmp				644  3	   *	@01T05 B
/var/log/pffirewall.log                 644  20   4000 *    J
I am glad that the log viewing problem caused by log rotation is now fixed. Thank you very much for the prompt bug fix.

joebob
Posts: 1
Joined: Fri Jun 24, 2016 2:24 pm

Re: Viewing Logs

Post by joebob » Fri Jun 24, 2016 3:03 pm

*** I wanted to share my experiences, especially since I'm basically an OSX n00b in case they may help anyone else. ***

I'm running OSX 10.11.5 on a ( MBP Retina, 15-inch, Mid 2014 ) if that matters at all.

I installed Murus Pro ( 1.4.2 ), Murus Logs Visualizer, and Murus Menulet.

For whatever reason the /var/log/pffirewall.log has NEVER been created.

PF seems to be running with no problems at all as I have checked via command line. ( sudo pfctl -sa ) - ( http://krypted.com/mac-security/a-cheat ... on-and-up/ )

I've read a zillion Google threads about Murus and PF, read ALL of the Murus documentation available to the very last page, purchased and started reading the No Starch Press book, "The Book of PF" to try and figure out why this log hasn't ever been created per the normal installation procedures for PF.

I tried various forum suggestions such as removing / replacing the Murus boot scripts, so I removed them, rebooted, reinstalled them, rebooted, but sigh, no /var/log/pffirewall.log file.

I checked the /etc/newsyslog.conf file and everything looks perfect, meaning my Murus ( 1.4.2 ) has been patched.

So - I just decided to manually create the file using the command " sudo touch pffirewall.log " after I cd /var/log and I finally have the file now.

After I created the file I carefully reviewed the permissions via the Murus forum comment on page 1 by hany, and the /var/log/pffirewall.log file permissions look perfect ( -rw-r--r--@ 1 root wheel 2542996 4 Gen 14:33 /var/log/pffirewall.log ) and the /etc/newsyslog.conf file entry for PF log rotation looks perfect ( via the parameters I entered via Murus.)

--

Grrrr - computers - we all love 'em and hate 'em depending on whether they're behaving at the moment.

--

I'll report back my results, but mostly I wanted to share my notes for the next poor guy who's killing himself because everything seems to be running perfectly - yet he's missing PF logs - and he's like any computer freak - and especially for something as important as a firewall - he wants everything setup and working as described in the manual - PF in this case.

--

Post Reply