Hi Everyone!
Hoping for some help with an issue relating to logging for the Mac Application Firewall (ALF). We have a requirement from one of our security groups to start sending these logs to Splunk and I’ve run into some issues surrounding entries for blocked connections.
With the firewall enabled, logging for it enabled and set to detail, I’m able to run log show and log stream commands on a 10.14 system filtering by either socketfilterfw process or the com.apple.alf subsystem and I consistently get entries for permitted connections but never for any of the blocked ones.
The only way I was able to see blocked entries was when for testing I had changed the firewall state to block everything so I know the logs exist for blocks, I just can’t seem to get them to show up under any other configuration.
Thanks in advance for any suggestions/help!
-Jordan
