The PF log daemon, pflogd, writes packets that PF sends to a capture datalink to a log in libpcap binary file format. PF logs packets when a policy rule contains the optional log action. The pflogd daemon runs as the svc:/network/firewall/pflog SMF service. By default, the log action sends packets to the pflog0 datalink. The packets are written by the pflog:default service instance to a pflog0.pkt log file in the /var/log/firewall/pflog directory.
The pflog service provides a second level of filtering:
PF is the first level of filtering. PF filters packets according to various capture datalinks.
The PF pflogd daemon provides a second level of filtering. It filters packets coming to a particular capture datalink due to the log action in a PF rule.
The additional filtering is useful when firewall administration is divided between a network policy administrator and a network operator. The policy administrator can change firewall rules, but cannot observe or sniff network traffic, while the network operator can only observe traffic. The network operator can use the pflog service to log desired packets only.
For ways to customize packet logging, see Using Packet Filter Logging and the pflogd (8) man page.