pffirewall.log issue on Mac Mini Server

Murus
Post Reply
jdhelle
Posts: 5
Joined: Mon May 11, 2015 3:54 pm
Location: Spring, TX

pffirewall.log issue on Mac Mini Server

Post by jdhelle » Mon May 18, 2015 4:49 pm

I recently moved for IceFloor to Murus and there is something strange with the naming of the pffirewall.log file. There is a pffirewall.log and it contains nothing but - May 14 17:30:05 server newsyslog[99366]: logfile turned over due to size>5000K. The currently log file being used is: pffirewall.l (letter 'L', not number 1). Is this anything to be concerned over or should I just wait to see what happens the pffirewall.l fills up and creates another new file?

5/18/2015 - More info: I have discovered that Visualizer does not produce any report or other information.

5/19/2015 - Update: 5/18 I was able to rename pffirewall.log to pffirewall.log.old and then rename pffirewall.l to pffirewall.log. However, today 5/19 pffirewall.log shows - May 18 17:30:06 server newsyslog[15383]: logfile turned over due to size>5000K and a new pffirewall.l was created.
Last edited by jdhelle on Tue May 19, 2015 2:20 pm, edited 3 times in total.

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: pffirewall.log issue on Mac Mini Server

Post by hany » Wed May 20, 2015 11:33 am

Very strange issue, I've never seen it.
You should not have a /var/log/pffirewall.l file. PF log file produced by Murus (or my old front ends like IceFloor and PFLists) should be /var/log/pffirewall.log. Murus Logs Visualizer won't work unless it finds this file.

Did you remove all IceFloor files before installing Murus? Please check twice, in both /etc and /Library/LaunchDaemons directories. The best way to remove it is to use the uninstall button in help tab, and reboot.

A very important thing to check is the syslog configuration, which is found in these 2 files:
/etc/syslog.conf
/etc/newsyslog.conf

Both files are edited by IceFloor and Murus, probably the reason for your issue is inside one of those 2 files.
Here is how the 2 files should appear when Murus is correctly installed on a clean 10.9/10.10:

/etc/syslog.conf

Code: Select all

 # Note that flat file logs are now configured in /etc/asl.conf

install.*						@127.0.0.1:32376
local2.*                                                /var/log/pffirewall.log
/etc/newsyslog.conf

Code: Select all

# configuration file for newsyslog
# $FreeBSD: /repoman/r/ncvs/src/etc/newsyslog.conf,v 1.50 2005/03/02 00:40:55 brooks Exp $
#
# Entries which do not specify the '/pid_file' field will cause the
# syslogd process to be signalled when that log file is rotated.  This
# action is only appropriate for log files which are written to by the
# syslogd process (ie, files listed in /etc/syslog.conf).  If there
# is no process which needs to be signalled when a given log file is
# rotated, then the entry for that file should include the 'N' flag.
#
# The 'flags' field is one or more of the letters: BCGJNUWZ or a '-'.
#
# Note: some sites will want to select more restrictive protections than the
# defaults.  In particular, it may be desirable to switch many of the 644
# entries to 640 or 600.  For example, some sites will consider the
# contents of maillog, messages, and lpd-errs to be confidential.  In the
# future, these defaults may change to more conservative ones.
#
# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
/var/log/ftp.log			640  5	   1000	*     J
/var/log/hwmond.log			640  5	   1000	*     J
/var/log/ipfw.log			640  5	   1000	*     J
/var/log/lpr.log			640  5	   1000	*     J
/var/log/ppp.log			640  5	   1000	*     J
/var/log/wtmp				644  3	   *	@01T05 B
/var/log/pffirewall.log                 644  20   5000 *    J
As you may guess, in both files the important line is the last one, please verify it. Should you change it, please reboot for changes to take effect.
Please let me know :)

jdhelle
Posts: 5
Joined: Mon May 11, 2015 3:54 pm
Location: Spring, TX

Re: pffirewall.log issue on Mac Mini Server

Post by jdhelle » Wed May 20, 2015 8:58 pm

The issue was: local2.* /var/log/pffirewall.l

I'm sure this will correct it, but I'll watch what happens the next time the log fills.

Thanks so much!


PS - I did uninstall IceFloor with the built in uninstall feature.

Post Reply