Some of the guys on IRC channel #macintosh helped me to get this working. I wanted to find a way to view my firewall logs in realtime, without having to leave Console open and without using tail -f /pathto/log in a cramped Terminal window. Since BrickHouse (or just plain old ipfw) allows you to turn on logging for firewall rules, I wanted to put those specific entries into a separate logfile other than system.log, which captures other unrelated things. If I could output this new logfile to DesktopConsole, then I would have something close to a realtime intrusion alert system.
Read the rest of the hint to see how I accomplished this...
What I did is add a line to /etc/syslogd.conf which reads:
authpriv,remoteauth,ftp.none;kern.debug /var/log/Firewall.logThat will redirect any ipfw hits to output to Firewall.log. Note that you can name the file whatever you like; just make sure the filenames match in all entries. I then did:
% sudo touch /var/log/Firewall.logThat creates a blank logfile which syslogd will write its entries to. You will need to kill -HUP the syslogd process for this to take effect. Remember to add some firewall rules, with logging enabled, if you want to see anything appear.
Jun 26 13:57:42 47ronin mach_kernel: ipfw: 52040 Deny UDP 17.254.0.27:123 68.8.39.46:123 in via en0Here is a portion of a screenshot showing what the hack and DesktopConsole can do for you. Notice the messages; they appear whenever someone triggers the firewall. Note: The logfile will grow in size over time, so you may need to delete it, and recreate it (using touch, see above). When you do so, you also need to restart syslogd for it to keep logging entries.
Jul 1 15:39:24 47ronin mach_kernel: ipfw: 2008 Accept TCP 66.192.2.55:51353 68.8.39.46:22 in via en0
Jul 1 23:50:08 47ronin mach_kernel: ipfw: 52040 Deny TCP 205.158.183.111:36964 68.8.39.46:21 in via en0
Mac OS X Hints
http://hints.macworld.com/article.php?story=20020710081854599