How to View and Watch the Firewall Log in Mac OS X



Already enabled the firewall in Mac OS X? For some users who already enabled the firewall on their mac, they find it useful to be view, read, and monitor the associated logs with the system firewall. The app firewall logs can show you what applications and processes have tried to connect to the Mac, including accepted and refused connections.

There are some ways to view and watch the firewall in OS X, we will tell you how to do it with a simple GUI app as well as the command line.

Please remeber that if you have Stealth Mode enabled or are blocking every incoming connection attempt, your firewall log will look different if not be outright void for particular types of connections. Also, if you have the firewall disabled, you won’t see anything, because there is no firewall to log connections. Simply to say, if you are behind a hardware firewall like that found in a typical wi-fi router or network, your firewall log data will look different from a machine open to the wide world.

Reading Firewall Logs with Console app in Mac OS X

The easiest way for most users to read and view the firewall logs in OS X is through the general log viewing application named Console:

  • Hit Command+Spacebar to open Spotlight and type “Console”, then hit return on Console app to launch the application (it’s located in /Applications/Utilities/ if you wish to launch it manually)
  • From the left side Log List menu, look below the “Files” section and click on the triangle next to /var/log to open that log list
  • Select “appfirewall.log” from the sidebar log list to load the firewall log into the right console panel

A simple example of Console firewall log activity will look something like this:

Nov 2 11:14:31 Retina-MacBook-Pro socketfilterfw[311] : kdc: Allow TCP LISTEN (in:0 out:2)
Nov 5 14:58:33 Retina-MacBook-Pro socketfilterfw[311] : launchd: Allow TCP LISTEN (in:0 out:1)
Nov 5 14:58:33 Retina-MacBook-Pro socketfilterfw[311] : launchd: Allow TCP LISTEN (in:0 out:1)
Nov 5 15:57:52 Retina-MacBook-Pro socketfilterfw[311] : launchd: Allow TCP LISTEN (in:0 out:2)
Nov 9 16:43:41 Retina-MacBook-Pro socketfilterfw[311] : iTunes: Allow TCP LISTEN (in:0 out:1)
Nov 12 11:32:57 Retina-MacBook-Pro socketfilterfw[311] : iTunes: Allow TCP LISTEN (in:0 out:1)
Nov 18 11:37:49 Retina-MacBook-Pro socketfilterfw[311] : iTunes: Allow TCP LISTEN (in:0 out:1)
Nov 18 21:28:43 Retina-MacBook-Pro socketfilterfw[320] : AppleFileServer: Allow TCP CONNECT (in:2 out:0)

The firewall log you see in Console will update as new connections are made, allowed, and rejected.

Watching Firewall Logs from the Command Line

From the command line you have a lot of methods to read and watch the firewall log in OS X. If you want to view the existing log and not when it updates with new connection data, you can use cat or more in Terminal app:

more /var/log/appfirewall.log

And then you can browse through the log as usual with the arrow keys and return. Exit more when finished viewing the firewall log.

To see a live updated version of the firewall log, use tail -f instead, for example:

tail -f /var/log/appfirewall.log

Using tail if is just the same with watching the firewall log from console application in the GUI, except you’re in the Terminal of OS X instead



Be the first to comment on "How to View and Watch the Firewall Log in Mac OS X"

Leave a comment