How to View & Watch the Firewall Log in Mac OS X

Nov 24, 2015 - 6 Comments

Console in Mac OS X

Users who have enabled the firewall in Mac OS X may find it useful to be view, read, and monitor the associated logs with the system firewall. As you’d expect, the app firewall logs show you what applications and processes have attempted to connect to the Mac, including accepted and refused connections.

There are several ways to view and watch the firewall in OS X, we’ll show you how to do so with a simple GUI app as well as the command line.


Note that if you have Stealth Mode enabled or are blocking every incoming connection attempt, your firewall log will likely look different if not be outright void for particular types of connections. Likewise, if you have the firewall disabled, you won’t see anything either, simply because there is no firewall to log connections. Additionally, if you are behind a hardware firewall like that found in a typical wi-fi router or network, your firewall log data is going to look different from a machine open to the wide world.

Reading Firewall Logs with Console app in Mac OS X

The simplest way for most users to read and view the firewall logs in OS X is through the general log viewing application called Console:

  1. Hit Command+Spacebar to bring up Spotlight and type in “Console”, then hit return on Console app to launch the application (it’s located in /Applications/Utilities/ if you wish to launch it manually)
  2. From the left side Log List menu, look under the “Files” section and click on the triangle next to /var/log to open that log list
  3. Select “appfirewall.log” from the sidebar log list to load the firewall log into the right console panel

View the application firewall log in Mac OS X with Console app

A brief example of Console firewall log activity may look something like the following:

Nov 2 11:14:31 Retina-MacBook-Pro socketfilterfw[311] : kdc: Allow TCP LISTEN (in:0 out:2)
Nov 5 14:58:33 Retina-MacBook-Pro socketfilterfw[311] : launchd: Allow TCP LISTEN (in:0 out:1)
Nov 5 14:58:33 Retina-MacBook-Pro socketfilterfw[311] : launchd: Allow TCP LISTEN (in:0 out:1)
Nov 5 15:57:52 Retina-MacBook-Pro socketfilterfw[311] : launchd: Allow TCP LISTEN (in:0 out:2)
Nov 9 16:43:41 Retina-MacBook-Pro socketfilterfw[311] : iTunes: Allow TCP LISTEN (in:0 out:1)
Nov 12 11:32:57 Retina-MacBook-Pro socketfilterfw[311] : iTunes: Allow TCP LISTEN (in:0 out:1)
Nov 18 11:37:49 Retina-MacBook-Pro socketfilterfw[311] : iTunes: Allow TCP LISTEN (in:0 out:1)
Nov 18 21:28:43 Retina-MacBook-Pro socketfilterfw[320] : AppleFileServer: Allow TCP CONNECT (in:2 out:0)

The firewall log viewed in Console will update as new connections are made, allowed, and rejected.

Watching Firewall Logs from the Command Line

From the command line you have a variety of methods to read and watch the firewall log in OS X. If you simply want to view the existing log as is and not when it updates with new connection data, you can use cat or more in Terminal app:

more /var/log/appfirewall.log

You can then browse through the log as usual with the arrow keys and return. Exit more when finished viewing the firewall log.

Reading the firewall logs in Mac OS X

To follow a live updated version of the firewall log, use tail -f instead, like so:

tail -f /var/log/appfirewall.log

Using tail if similar to watching the firewall log from console application in the GUI, except of course you’re in the Terminal of OS X instead.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Mac OS X, Tips & Tricks

6 Comments

» Comments RSS Feed

  1. Steebles says:

    The firewall logs on a router or server is much more interesting since it gets all sorts of stuff from the internet. My local Mac firewall log is basically connections to and from iTunes and local network shares, as it should be.

    • not overly impressed says:

      How do you monitor remote syslog from your router on an OSX machine?

      • Gerplestein says:

        Log in to your router IP and look at the logs. Every router uses different firmware and software, there isn’t a universal explanation.

      • Sebby says:

        Yes, see syslogd(8) under -udp_in. You need to edit the syslogd plist by hand and restart. Then tell your equipment the fixed IP address of your Mac, and you should get the log messages in Console and in /var/log. I did this once, but it proved too fiddly to continue doing, so I stopped.

  2. Andrew says:

    This might be beyond the scope of your normal tips, but could you guys do a stripped down guide to firewalling services using pf? I was using ipfw which is insanely simple, but it’s been deprecated and I can’t seem to get pf to work correctly. Would be hugely appreciated as I’ve had to disable some services (due to bruteforce login attempts) to which I used to allow only a few IPs via ipfw.

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Recent Posts