I'm trying to get pf working under Mountain Lion. Since it appears that Apple neglected to include pflogd, we have to make our own like:
/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf
This dumps messages into system.log, but I'm trying to find a way to sort them out into their own. I was able to figure this out with ipfw, but ipfw left nice logs like:
Mar 5 11:34:44 flamingo kernel[0] <Debug>: ipfw: 65534 Deny ICMP:3.10 192.168.4.233 192.168.92.60 in via en0
For pf, I'm getting logs like:
Mar 5 11:57:50 flamingo.mydomain.com pf[51938]: 00:00:00.000000 rule 1/8(ip-option): pass in on en0: 172.24.32.41 > 224.0.0.1: igmp query v2
With OSXes 'logger', I can use -p to set a facility, but then the logs quietly vanish. I found references to using 'syslog -s -k facility whatever', but when I pipe my tcpdump into syslog, the process dies after a few seconds or minutes.
How can I A) find out how to keep syslog running, or B) either set or predict what I could filter the results from logger in asl.conf?
You're missing one ingredient to get logging.
This worked for me:
root# touch /var/log/pffirewall.log` to create the log file.
Then, add the following line to /etc/syslog.conf:
local2.* /var/log/pffirewall.log
Now your logger process output will show up in /var/log/pffirewall.log. Apparently logger is still tied to the old syslog facility and /etc/syslog.conf.
Related
I want to automate a personal workflow that is based on camera usage on my MBP.
Basically I want to know if any of the cameras (built-in or USB) has been turned on or off, so I can run a program or script I'll create.
I think it's OK if I need to poll for the cameras statuses but an event or callback based solution would be ideal
This seems to work.
❯ log stream | grep "Post event kCameraStream"
2020-12-01 14:58:53.137796-0500 0xXXXXXX Default 0x0 XXX 0 VDCAssistant: [com.apple.VDCAssistant:device] [guid:0xXXXXXXXXXXXXXXXX] Post event kCameraStreamStart
2020-12-01 14:58:56.431147-0500 0xXXXXXX Default 0x0 XXX 0 VDCAssistant: [com.apple.VDCAssistant:device] [guid:0xXXXXXXXXXXXXXXXX] Post event kCameraStreamStop
2020-12-01 14:58:56.668970-0500 0xXXXXXX Default 0x0 XXX 0 VDCAssistant: [com.apple.VDCAssistant:device] [guid:0xXXXXXXXXXXXXXXXX] Post event kCameraStreamStart
Some of the numbers in the output are redacted with Xs because I don't know what they mean. :)
log stream --predicate 'eventMessage contains "Post event kCameraStream"' works up to macOS Big Sur, but not in macOS Monterey. You'll have to use a slightly different predicate:
$ log stream --predicate 'subsystem contains "com.apple.UVCExtension" and composedMessage contains "Post PowerLog"'
Filtering the log data using "subsystem CONTAINS "com.apple.UVCExtension" AND composedMessage CONTAINS "Post PowerLog""
Timestamp Thread Type Activity PID TTL
2021-10-27 12:21:13.366628+0200 0x147c5 Default 0x0 353 0 UVCAssistant: (UVCExtension) [com.apple.UVCExtension:device] UVCExtensionDevice:0x1234005d7 [0x7fe3ce008ca0] Post PowerLog {
"VDCAssistant_Device_GUID" = "00000000-1432-0000-1234-000022470000";
"VDCAssistant_Power_State" = On;
}
2021-10-27 12:21:16.946379+0200 0x13dac Default 0x0 353 0 UVCAssistant: (UVCExtension) [com.apple.UVCExtension:device] UVCExtensionDevice:0x1234005d7 [0x7fe3ce008ca0] Post PowerLog {
"VDCAssistant_Device_GUID" = "00000000-1432-0000-1234-000022470000";
"VDCAssistant_Power_State" = Off;
}
As far as I know, you can poll for the camera usage with:
$ lsof -n | grep "AppleCamera"
or change "AppleCamera" with the driver name of an external camera.
Other relevant names to try are: "USBVDC" or "VDCAssistant" or "FaceTime" (or "iSight" in older Macs).
You should get one line with the name and pid of the process using the webcam or nothing, which means that it is not in use.
You could check for all of the keywords and decide that the camera is in use if any of these keywords give you something back.
The -n option is to skip resolving DNS names of IP connections and this speeds the command a lot.
As a side note, I use this app to know when any app is using the microphone and/or webcam: OverSight
In macOS Ventura I find this incantation works:
log stream --predicate 'sender contains "appleh13camerad" and (composedMessage contains "PowerOnCamera" or composedMessage contains "PowerOffCamera")'
How can I save the output of the NetworkManager command that listens for and prints the current activity?
The command is nmcli monitor (https://developer.gnome.org/NetworkManager/stable/nmcli.html).
Logging Messages
I will show how to modify the logging levels by NetworkManager.
NetworkManager supports on the fly changing of the logging levels and allows for a fine control over what is logged.
First check what is the current configuration by below command:
root#hostname ~: nmcli general logging
As a result you will be presented with the information about current conf:
LEVEL DOMAINS INFO PLATFORM,RFKILL,ETHER,WIFI,BT,MB,DHCP4,DHCP6,PPP,IP4,IP6,AUTOIP4,DNS,VPN,SHARING,SUPPLICANT,AGENTS,SETTINGS,SUSPEND,CORE,DEVICE,OLPC,INFINIBAND,FIREWALL,ADSL,BOND,VLAN,BRIDGE,TEAM,CONCHECK,DCB,DISPATCH,AUDIT,SYSTEMD
It is possible to change the level either globally or for each domain separately. The command to achieve this is:
nmcli general logging [level <level> [domain <domain>]]
The < level > is the desired log level, here are some examples:
ERR: will log only critical errors
WARN: will log warnin messages
INFO: will log various informational messages
DEBUG: enables verbose logging for debugging purposes
< domain > is the category of messages that shall be logged with given severity.
WIFI: will include only WiFi related messages, IP4 will include only IPv4 related messages
And so on, i cant provide info for every setting but this is how it works in general.
Other things you may wanna try:
Systemd:
journalctl -u NetworkManager > tomyfile.txt
Use debug mode in general:
sudo /usr/lib/NetworkManager/debug-helper.py --nm debug > tomyfile.txt
I was able to log the output of nmcli monitor to a file using:
nmcli monitor >> log.txt
Given the following sample/simple snmpd.conf (Net-SNMP 5.7.2 on RHEL 7.4)
rwcommunity private 192.168.56.101
trapsess -Ci --clientaddr=192.168.56.128 -v 2c -c private 192.168.56.101:162
when starting a SNMP Daemon
snmpd -f -Lo -D -C -c data/snmpd_test.conf udp:192.168.56.128:161
We obtain ''Start Up'' InformRequest with IP source 192.56.168.1 instead of ...128 (WireShark snapshot below)
It is not surprising as the -D option allows us to output the debug information saying that
trace: netsnmp_config_process_memory_list(): read_config.c, 696:
read_config:mem: processing memory: clientaddr 192.168.56.128
trace: run_config_handler(): read_config.c, 562:
9:read_config:parser: clientaddr handler not registered for this time
Web sources however say:
snmp.conf
...This value is also used by snmpd when generating notifications.
snmpd.conf
trapsess [SNMPCMD_ARGS] HOST
provides a more generic mechanism for defining notification destinations.
SNMPCMD_ARGS should be the command-line options required for an equivalent
snmptrap (or snmpinform) command to send the desired notification
I read also some old threads like this one
However this option is working well with snmptrap
snmptrap -D -Lo -Ci --clientaddr=192.168.56.128 -M+path_to_my_mibs -v 2c -c private 192.168.56.101:162 "" .1.3.6.1.4.1.a.b.c.d.e.f.0 i 0
This option is also working when placed in snmp.conf ( mind there is no 'd' here ) and then it applies to snmpset and snmpget (and maybe other)
So my question is: Is it a documentation error, a bug, a misuse of the Net-SNMP stack ?
After a long struggle I may have an answer and I write a short note as I just found a trick
It seems that clientaddr is not parsed correctly wherever in the snmpd.conf
(I tried not also inside the trapsess line)
But it seems to be a valid option in the command line of snmpd
like it was a valid option in the snmptrap command line. So I assumed it could be the same parsing mechanism for both.
a condition also is that the IP addres must be valid one
which means that
snmpd -f -Lo -D -C -c data/snmpd_test.conf --clientaddr=192.168.56.128 udp:192.168.56.128:161
seems to fully solve my problem.
I will perform more tests and if accurate format this answer a little bit better but it seems a good hint.
My problem is that when I add a printer using the Printers and Scanners UI printing works, when I add the same printer using lpadmin it doesn't.
To Add it through the UI I did the following:
From Printers and Scanners I selected the IP tab.
Address: 10.20.30.40, Protocol HP Jetdirect - Socket, Queue left blank, Name: TEST_01, Location "Top Floor", Use -> Select software -> HP LaserJet P3010 Series
After doing this, the Printer works as expected.
This is a (segment from a) script containing my lpadmin command that doesn't work
SUBNET=socket://10.20.30.
TEST_01=40
PPD_DIR=/Library/Printers/PPDs/Contents/Resources
TEST_01_PPD="hp LaserJet P3010 Series.gz"
lpadmin -E -p TEST_01 -v $SUBNET$TEST_01 -P "$PPD_DIR/$TEST_01_PPD" -D "TEST_01" -L "Top Floor"
The printer appears correctly in the UI but shows as paused.
I did find a message in system.log that may or may not be relevant - I was using Notes to test the printer:
Notes[502]: Failed to connect (_delegate) outlet from (com_hp_psdriver_19_11_0_PDEView) to (com_hp_psdriver_19_11_0_PDEAccountingController): missing setter or instance variable
Notes[2198]: Printing failed because PMSessionEndDocumentNoDialog() returned -30871.
The reason I want to use a script is that there are 20 printers to add on each of 30 new Macs. The actual script uses a series of arrays with lpadmin in a for loop. Everything I have read says it should work. What am I missing?
I think -E specified before the printer name enables encryption, whereas specified after it Enables the printer - effectively "unpausing" it. Madness- I know!
Mad Apple Documentation - see second sentence
I think you want:
lpadmin -p TEST_01 -v $SUBNET$TEST_01 -P "$PPD_DIR/$TEST_01_PPD" -D "TEST_01" -L "Top Floor" -E
I don't have a direct answer, but I can suggest an alternate approach: set up all 20 printers by hand on one computer, then copy the /etc/cups directory from that one to the other 29.
I am rebuilding an Icinga server that has been left behind by a previous employee. I have everything up and running, except for a bunch of MIB files for 3com switches that I cannot get to work.
The server is a CentOS 6 OpenVZ container.
In the original server there is a bunch of mib files in the default location at /usr/share/snmp/mibs/ and the 3com ones at /usr/share/snmp/mibs/3Com_4500/MIBs. The 3Com mibs work fine:
/usr/lib/nagios/plugins/check_snmp -H 10.10.111.11 -P 2c -C public -o hwDevMFanStatus.65536 -s "active(1)" -m A3COM-HUAWEI-LswDEVM-MIBSNMP OK - active(1) |
In the new server, the MIBs in the 3com folder do not get acknowledged and I get errors like the following:
/usr/lib/nagios/plugins/check_snmp -H 10.10.111.11 -P2c -C someuser -o hwDevMFanStatus.65536 -s "active(1)" -m A3COM-HUAWEI-LswDEVM-MIB
External command error: No log handling enabled - turning on stderr logging
Cannot find module (A3COM-HUAWEI-LswDEVM-MIB): At line 0 in (none)
hwDevMFanStatus.65536: Unknown Object Identifier (Sub-id not found: (top) -> hwDevMFanStatus)
/etc/snmp/snmpd.conf is identical for both servers and so is /etc/sysconfig/snmp.
set does not show any ENV variable related to snmp or mib.
Thanks
You are confusing snmpd.conf and snmp.conf the former being the configuration file for the SNMP daemon whereas Net-SNMP applications use snmp.conf.
The mibs/mibdirs directives you are interested in would be specified in snmp.conf (see also man snmp.conf.