# Daily security mail reports pf denied packets: how to inspect them?



## lifepillar (Feb 6, 2021)

The daily digest of my local server has started to report some blocked traffic:


```
myserver pf denied packets:
+block return in all [ Evaluations: 5994 Packets: 546 Bytes: 55249 States: 0 ]
```

In my `/etc/rc.conf` I have:


```
pf_enable="YES"
pflog_enable="YES"
```

ifconfig shows three interfaces: em0, lo0, and pflog0. For pflog0:


```
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
    groups: pflog
```

In `/var/log/pflog` I do not find anything: it's a 24 byte file. I have run `tcpdump -n -e -tttt -i pflog0` for a day, but no packets were captured. What am I missing? Where do I find a log of the denied packets, so that I can inspect them?


----------



## kisscool-fr (Feb 6, 2021)

Hello,

Don't you have any previous pflog files ? I mean /var/log/pflog.{0,1,2,...}.bz2

I can see what is in those files with tcpdump like this:
`# bzcat /var/log/pflog.2.bz | tcpdump -qnr -`

Reading man for pflogd may help too.


----------



## lifepillar (Feb 6, 2021)

Mmh, no archived log files. In fact, it appears that pflogd is not logging at all, although it is up and running:

`$ service pflog status
pflog is running as pid 86523.
$ ps ax | grep pf
84111  -  DL       3:53.74 [pf purge]
86523  -  Is       0:00.00 pflogd: [priv] (pflogd)
87301  -  S        0:36.43 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd)`

I will try to run it in the foreground.


----------

