Skip to main content
Question

Logging for macOS Application Firewall (ALF)


Forum|alt.badge.img+14

Hi Everyone!
Hoping for some help with an issue relating to logging for the Mac Application Firewall (ALF). We have a requirement from one of our security groups to start sending these logs to Splunk and I’ve run into some issues surrounding entries for blocked connections.

With the firewall enabled, logging for it enabled and set to detail, I’m able to run log show and log stream commands on a 10.14 system filtering by either socketfilterfw process or the com.apple.alf subsystem and I consistently get entries for permitted connections but never for any of the blocked ones.

The only way I was able to see blocked entries was when for testing I had changed the firewall state to block everything so I know the logs exist for blocks, I just can’t seem to get them to show up under any other configuration.

Thanks in advance for any suggestions/help!

-Jordan

0 replies

Be the first to reply!

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings