Daily security mail reports pf denied packets: how to inspect them?

[lifepillar]

The daily digest of my local server has started to report some blocked traffic:

myserver pf denied packets:
+block return in all [ Evaluations: 5994 Packets: 546 Bytes: 55249 States: 0 ]

In my `/etc/rc.conf` I have:

pf_enable="YES"
pflog_enable="YES"

ifconfig shows three interfaces: em0, lo0, and pflog0. For pflog0:

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
    groups: pflog

In /var/log/pflog I do not find anything: it's a 24 byte file. I have run tcpdump -n -e -tttt -i pflog0 for a day, but no packets were captured. What am I missing? Where do I find a log of the denied packets, so that I can inspect them?

 

[kisscool-fr]

Hello,

Don't you have any previous pflog files ? I mean /var/log/pflog.{0,1,2,...}.bz2

I can see what is in those files with tcpdump like this:
# bzcat /var/log/pflog.2.bz | tcpdump -qnr -


Reading man for pflogd may help too.

 

[lifepillar]

Mmh, no archived log files. In fact, it appears that pflogd is not logging at all, although it is up and running:

$ service pflog status
pflog is running as pid 86523.
$ ps ax | grep pf
84111 - DL 3:53.74 [pf purge]
86523 - Is 0:00.00 pflogd: [priv] (pflogd)
87301 - S 0:36.43 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd)

I will try to run it in the foreground.