PFLOGGERD the pf log daemon for macOS

Murus
Post Reply
hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

PFLOGGERD the pf log daemon for macOS

Post by hany » Mon Apr 10, 2017 5:08 pm

Today we released pfloggerd, an open source daemon used to save pf logs to file.
On older Murus releases we used the built-in tcpdump utility in order to save pf logs to file. As of macOS 10.12.4 tcpdump cannot be used any more.
So we decided to develop a dedicated daemon. Murus 1.4.9 on macOS 10.12.* is the first Murus release using pfloggerd instead of tcpdump.

pfloggerd is an open source project (GPLv3 license applies).
Source code is available at https://github.com/TheMurusTeam/pfloggerd

darwin
Posts: 4
Joined: Wed Apr 12, 2017 4:06 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by darwin » Wed Apr 12, 2017 4:25 pm

Hello, i have issue with this version.
mac os x : 10.12.4
murus upgrade from 1.48 to 1.49
i applied the bootscript from murus
but no pfloggerd...plist present in/Librairy/LaunchDaemon (but the binary is present in /usr/local/bin), so i downloaded the one from the github, i installed it, chmod, chown chgrp to the appropriate one.
but my pffirewall.log always empy, so i tried to load manually the command that i see in the pfloggerd script, it can create the interface :pflog0
but i have issue with the binary/usr/local/bin/pfloggerd doesn't give me back the #

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by hany » Wed Apr 12, 2017 9:07 pm

hello
when you install Murus boot scripts 1.4.9 there is no pfloggerd plist because it is not needed.
plfloggerd is started by /etc/murus.sh shell script which in turn is launched by the main Murus plist in launchdaemons.
The plist provided in github in only meant as an example for people who want to configure pf manually.
So if you run Murus forget github and remove all github related files and reinstall Murus 1.4.9 boot scripts, then it will work. You can verify it using Activity Monitor.app, displaying "all processes", you'll see pfloggerd running.

darwin
Posts: 4
Joined: Wed Apr 12, 2017 4:06 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by darwin » Thu Apr 13, 2017 9:46 am

Hello,

true, i can see the pfloggerd process running. but in LogVisualizer, it tells me PF log not found.
Let me Just clarify what i did in the past. I did a time machine with murus 1.4.8, then i installed sierra, and restored the time machine, after this i upgrade to the latest sierra (10.12.4). At this moment no pffirewall.log file was present. I supposed that it was due to the time machine. So a created a n empty pffirewall.log file (with the good permissions root:whell 644) via a touch. After this point i was aware about the tcpdump issue with new sierra

Now, i removed the pffirewal.log, the pfloggerd file, i reinstalled murus 1.4.9, i enabled the bootscript, i rebooted, and currently pfloggerd is running, but no pffirewall.log present and when i click on LogVisualizer, of course it claims me no PF log found...

Any help would be appreciate Hany ;-)

darwin
Posts: 4
Joined: Wed Apr 12, 2017 4:06 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by darwin » Tue Apr 18, 2017 9:30 am

Any idea ? :idea: :?

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by hany » Wed Apr 19, 2017 2:39 pm

well this is strange :)
if boot scripts are installed and pfloggerd is running, then you should see /var/log/pffirewall.log populating as long as you correctly setup pf to log some connections and you actually made this connections. Sorry if it sound obvious, but please double check your pf configuration and Murus preferences.

darwin
Posts: 4
Joined: Wed Apr 12, 2017 4:06 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by darwin » Thu Apr 20, 2017 4:34 pm

there is no pffirewall log file in /var/log
is there a way to test if the binary of pfloggerd (in /usr/local/bin) works fine ?
if i do a ifconfig -a, i can see the pflog0 interface.
i can export the conf of murus to show you that the bootscript and also the log are enabled.
:oops:

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: PFLOGGERD the pf log daemon for macOS

Post by hany » Thu Apr 20, 2017 9:01 pm

it seems you have some permissions problems or something similar somewhere. Or maybe there is a bug in pfloggerd but we have not received any complaint so far, and we are unable to replicate your issue.
To check if pfloggerd is running you can use ps or Activity Monitor. To check if it works you must pass some traffic to pflog0. As far as I know the only way is to trigger pf logs.
You may try uninstalling everything and reinstalling. Or probably you can use a system cleaning tool (like Onyx, which is free afaik) to fix your system permissions/caches.

Post Reply