Logging overview (12, Features)

DoorStop X's logging feature allows you to create a log of all accesses allowed through DoorStop, all access attempts denied by DoorStop, or a combination. The log file is useful to see who has attempted to access what services, and spot possible security violations, particularly if you're using Open Door's Who's There? Firewall Advisor. Unless you change it, DoorStop will log all access attempts, allowed and denied, to all services.

Logging is only active when DoorStop protection is also active. If you stop that protection (through the Stop button in the setup window), logging will stop as well.

Setting logging defaults

To set DoorStop's overall logging defaults, choose "Preferences" from the DoorStop X menu. The Preferences dialog appears as shown below in Figure 1.

Click the Logging icon if it's not selected, and then check or uncheck the appropriate boxes under "Logging defaults." Logging defaults apply to all protected services (including "All Other Services") unless you override those defaults for specific services (see the next section). You can set DoorStop to, by default, log all denied access attempts, all allowed access attempts, both or neither (that is, no logging at all).

Setting service-specific logging

It is possible to override DoorStop's logging defaults on a service-by-service basis. For instance, if you are running a Web server, you may not wish to log successful access attempts to the Web Sharing service (which could include one entry for every hit to the server), but you may wish to log all other successful access attempts (for instance to File Sharing). In this case you would set DoorStop's default logging to log all allowed accesses, but specifically configure the Web Sharing service to never log allowed accesses.

To override the logging defaults for a service, select the service from the protected service list (the left-hand pane) in DoorStop's Setup window; if the service is not in the list, you'll need to add it, as described in User-defined Services. With the service selected, in the logging popup menu in the right-hand pane of the Setup window choose "Customize...". Doing so brings up a dialog which allows you to override the logging defaults for that service (Figure 2). You can override the allowed access logging default, denied access logging default, or both. When overriding, you can tell DoorStop to either always log the access attempt for that service, or to never do so. The Logging popup menu title will then change from "Logging: Default" to "Logging: Custom" to indicate that custom logging is in effect for that service.

Log file details and archiving

The log file created by DoorStop is named "WhosThere.log" (for use with Open Door's Who's There? Firewall Advisor), and is written to the folder "Preferences" within the folder "Library" at the root of your hard disk (that is, the directory /Library/Preferences). The log file is described in detail in the Log File Format appendix. To view DoorStop's log, choose "View Log" from DoorStop's Log menu. If you've installed Open Door Networks' Who's There? Firewall Advisor, that application will launch, displaying the log file and other valuable information; otherwise, the Console application will launch and display the log file. See the Reading the Log File appendix for details of how to use DoorStop's log file to spot possible security violation attempts.

Although DoorStop's log file becomes more useful as more information is logged, it can become so large that it's difficult to work with. DoorStop includes the ability to automatically archive and then reset the log file periodically, or whenever it passes a certain size. Archiving options are specified through the Logging Preferences pane (Figure 1). Check the "Enable automatic log archiving" box and then choose one of the two options. You can choose to archive by time or by size.

If you choose to archive by time, you can archive every day, week, month or year. Archiving will happen every day, or on the first day of the new week (always a Saturday) or of the new month or new year. Assuming your computer is on, archiving will happen at 3am. If your computer is not on, archiving will happen at 3am the next time it is on. The DoorStop X application does not need to be running for archiving to take place. If you choose archiving by size, it will happen at 3am the first time your computer is on after the log file passes the indicated maximum size.

Archived log files are stored in a folder called "Open Door Networks" in the same folder as the DoorStop log file itself (/Library/Preferences). Their name includes the date on which the archive was made. Once the log file is archived, the original log file (WhosThere.log) is then reset.

Manually resetting the log file (12, Features)

You can also manually reset and archive DoorStop's log. The Log menu provides for resetting the log file, as well as various ways of viewing the log. To manually reset DoorStop's log file, choose "Reset Log..." from the Log menu, bringing up the dialog shown in Figure 3.

If you do not check the checkbox, clicking OK will simply clear the current log file, and all current data in the file will be lost. If you want to save current data in the log file and start a new log, check the checkbox and then click OK. The current log file is archived as indicated in the section above on log file details.

Viewing the log file

DoorStop X can display information about the log file, and it can also invoke Who's There?, if installed, to display log lines or summaries of log lines. Note that doing so requires Who's There? 2.0 or later.

• To see the log file in the Finder, choose Log > Reveal in Finder. A Finder window opens with the log file highlighted, allowing you to see the file size, date last modified, and other information.
• To see a summary display of the contents of the log file, summarized by IP address, choose Log > Summary by Address. Who's There? will come to the foreground, with its Summary by IP Address window displayed.
• To see a summary of the log file by service, choose Log > Summary by Service. Who's There? will come to the foreground, with its Summary by Service window displayed and the given service selected. The lower pane of the window shows a summary for each address from which access to this service was attempted. If there are no log lines for this service, no service will be selected.
• To see a summary of a specific IP address, select a service on the left side of DoorStop's main window, select an address on the right side, and then choose Log > Summary for Selected Address. Who's There? will come to the foreground, with its Summary by IP Address window displayed and the given address selected. The lower pane of this window shows a summary for each service to which access was attempted from the IP address. If there are no log lines for this address, no address will be selected.
• To see a summary of a specific service, select a service on the left side of DoorStop's main window and then choose Log > Summary for Selected Service. Who's There? will come to the foreground, with its Summary by Service window displayed and the given service selected. The lower pane of this window shows a summary for each IP address from which access was attempted to the service.

Back to Table of Contents
Back to Accessing the Book, the Blog & Twitter
Forward to Advanced Topics