Logging pf messages under OSX Mountain Lion

Question

I'm trying to get pf working under Mountain Lion. Since it appears that Apple neglected to include pflogd, we have to make our own like:

/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf

This dumps messages into system.log, but I'm trying to find a way to sort them out into their own. I was able to figure this out with ipfw, but ipfw left nice logs like:

Mar  5 11:34:44 flamingo kernel[0] <Debug>: ipfw: 65534 Deny ICMP:3.10 192.168.4.233 192.168.92.60 in via en0

For pf, I'm getting logs like:

Mar  5 11:57:50 flamingo.mydomain.com pf[51938]: 00:00:00.000000 rule 1/8(ip-option): pass in on en0: 172.24.32.41 > 224.0.0.1: igmp query v2

With OSXes 'logger', I can use -p to set a facility, but then the logs quietly vanish. I found references to using 'syslog -s -k facility whatever', but when I pipe my tcpdump into syslog, the process dies after a few seconds or minutes.

How can IA) find out how to keep syslog running, or B) either set or predict what I could filter the results from logger in asl.conf?

Answer 1

You're missing one ingredient to get logging.

This worked for me:

root# touch /var/log/pffirewall.log` to create the log file.  

Then, add the following line to /etc/syslog.conf :

local2.* /var/log/pffirewall.log

Now your logger process output will show up in /var/log/pffirewall.log . Apparently logger is still tied to the old syslog facility and /etc/syslog.conf .