Excessive 'SecurityServer' log entries for ServerEventAgent after Adaptive Firewall

Hello all,
I'm running an OS X Server running 10.8.2. After enabling the Adaptive Firewall last night ( http://support.apple.com/kb/HT5519, http://support.apple.com/kb/TS4418 ), I started noticing a massive number of logs in /var/log/system.log that look like this:
Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] for authorization
created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (2,0)
Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
by client '/Library/PrivilegedHelperTools/com.apple.serverd' [71] for authorization created by
'/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (100000,0)
Does anyone have thoughts on this? They generally come in pairs like above. I've seen other SecurityServer logs while managing the server, but the number of them (and ServerEventAgent string) have really jumped up after trying to enable the Adaptive Firewall. I'm not even sure the firewall is working at this point, as running hb_summary tells me there have been 0 blocks in the last 24 hours. Yesterday, before trying to enable the AF, the server was trying to block login bots every few minutes, so I'm not sure everything is hooked-up correctly.
It should be noted that I had some trouble with the second KB article linked above because I had previously tried using IceFloor to manage the new pffirewall. Apparently IceFloor removes some lines from /etc/pf.anchors/com.apple and doesn't put them back when you uninstall the program. I re-added the two missing lines at the end (with Apple's edits):
anchor "400.AdaptiveFirewall/*"
load anchor "400.AdaptiveFirewall" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"
Any help would be greatly appreciated!

Ahhhhhhh...that's gotta be it!
Um, I mean no, I did not have relations with that application.
Thanks!

Similar Messages

  • Creating action log entry for incident via SDK in C#

    Hi,
    Does anyone have any example code, or pointer to, of how to add an action log entry (with icon) to an incident? I can't work out what the target for the relationship should be or how to configure it...
    With Thanks,
    Rob

    Anton,
    Thanks for your response! I think the problem may be in how I'm creating "WorkItemMP". In the method below I'm trying to pass in an issue Id parameter to add an action log item to an Issue. 
    How are you creating the  "WorkItemMP"?
    public
    void
    UpdateActionLog(string
    nsId)
    EnterpriseManagementGroup
    emg1 = new
    EnterpriseManagementGroup("server01.xyx.com"
    ManagementPackClass
    classIncident = emg1.EntityTypes.GetClass(new
    Guid(SYSTEM_WORKITEM_INCIDENT_CLASSS));
    // A604B942-4C7B-2FB2-28DC-61DC6F465C68
    EnterpriseManagementObjectProjection
    incidentProjection = new
    EnterpriseManagementObjectProjection
    (emg1, classIncident);
    ManagementPack
    WorkItemMP = emg1.ManagementPacks.GetManagementPack(new
    Guid("DD26C521-7C2D-58C0-0980-DAC2DACB0900"));
    //System.WorkItem.Incident.Library MP
    CreatableEnterpriseManagementObject
    cemoIncident = new
    CreatableEnterpriseManagementObject(emg1,
    classIncident);
    cemoIncident[classIncident,
    "Id"
    ].Value = nsId;
    ManagementPackClass
    typeActionLog = emg1.EntityTypes.GetClass("System.WorkItem.TroubleTicket.ActionLog"
    , WorkItemMP);
    CreatableEnterpriseManagementObject
    objectActionLog = new
    CreatableEnterpriseManagementObject
    (emg1, typeActionLog);
    objectActionLog[typeActionLog,
    "Id"].Value
    = Guid
    .NewGuid().ToString();
    objectActionLog[typeActionLog,
    "Description"].Value
    = "Incident updated via SDK.\n"
    objectActionLog[typeActionLog,
    "Title"].Value
    = "Incident updated via SDK"
    objectActionLog[typeActionLog,
    "EnteredBy"].Value
    = "Administrator"
    objectActionLog[typeActionLog,
    "EnteredDate"].Value
    = DateTime
    .Now.ToUniversalTime();
    ManagementPackEnumeration
    enumeration6 = WorkItemMP.GetEnumerations().GetItem("System.WorkItem.ActionLogEnum.TaskExecuted"
    objectActionLog[typeActionLog,
    "ActionType"
    ].Value = enumeration6.Id;
    ManagementPackRelationship
    relationship2 = emg1.EntityTypes.GetRelationshipClass("System.WorkItem.TroubleTicketHasActionLog"
    , WorkItemMP);
    if
    (incidentProjection != null
    incidentProjection.Add(objectActionLog, relationship2.Target);
    incidentProjection.Commit();

  • Thousands of log entries for systemd-tmpfiles-clean.timer on boot

    I'm running a 32 bit Arch install as a VMware ESXi 5.1 guest. Whenever the guest boots up, I get several thousand of the following entries in the system log:
    Feb 18 12:49:01 squid systemd[1]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.
    The most recent boot had almost 20,000 entries within 5 seconds:
    $ sudo journalctl -b | grep systemd-tmpfiles-clean.timer | wc -l
    19693
    $ sudo journalctl -b | grep systemd-tmpfiles-clean.timer | sed -n '1p;$p'
    Feb 18 12:49:01 squid systemd[1]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.
    Feb 18 12:49:06 squid systemd[1]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.
    I've pasted the entry into Google but have not come up with anything helpful.
    I have disabled host-guest time sync:
    $ vmware-toolbox-cmd timesync status
    Disabled
    There is a NTP daemon running that syncs time with a single windows server (which is also a guest on the same ESXi host).
    As far as I'm aware there shouldn't be anything else playing with the time, but theres obviously something going on.
    Can anyone please help me troubleshoot?

    I've had the same problem and I don't know what's going wrong. But I have a workaround:
    If you're booting into a graphical environment you can disable the vmtoolsd service
    # systemctl disable vmtoolsd
    and add the following line to your ~/.xinitrc:
    vmware-user-suid-wrapper
    The ~/.xinitrc will start the vmtoolsd service then.
    This solved two problems for me:
    1. No more messages like you posted in my log file.
    2. The virtual machine shuts down promptly (see vmtoolsd not stopping)
    Last edited by BertiBoeller (2013-03-14 13:40:21)

  • Duplicate entries for contacts after BB update 10.2.1.2102

    Hi,
    This is in regards to my boss's blackberry q10.
    I recently updated the OS to 10.2.1.2102 (done via phone update not via BB link).
    After the update, i noticed that all contacts had a duplicate entry with only one of them containing the proper details while the other was blank. I have uploaded the pics through the dropbox link below.
    pictures for BB Q10 
    If i delete the blank contact, it solves the problem but I have to do it individually for each contact.
    Is there a better way of doing this? Would really appreciate your help here.
    Thanks,
    Brennan

    If you open the blank one and go to the bottom and hit "Link" does it show what contact list the blank one is in?
    Also, where was the source of the contacts to begin with? Did they come from an Exchange mailbox? Another email account? Wired sync from Link?
    1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
    2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you!

  • Log Entries for Terminal Services in Event Viewer?

    Hello
    I wasn't sure exactly where to post this. Answers.microsoft.com directed me here for an answer.
    I'm running Windows 7 Professional 32 bit. It's a standalone PC, not joined to a domain, never configured as a server. I'm puzzled. When I review entries in the Event Viewer, all logon and logoff entries are located in Event Viewer/Applications and Services
    Logs/Microsoft/ Windows/Terminal Server/Local Session Manager/Operational.  Every logon/logoff event is recorded here, although I have always had Remote Desktop Services disabled in Services. I would think that logon/logoff events would be recorded in
    Applications and Services Logs/Microsoft/Windows/Winlogon. That makes more sense to me. Some of these user entries have Address: LOCAL and some are blank. No major hardware or software changes that might have caused this. The Event Viewer only goes back
    6 months (1 Mb) and then it's overwritten. Can anyone explain this to me? Thanks for your help.

    Hi,
    The path of Event Viewer/Applications and Services Logs/Microsoft/ Windows/Terminal Server/Local Session Manager is used to record Remote Desktop Services activity even through it's disabled.
    Windows logon and logoff activity is recorded in another path: Windows Logs/Security.
    Karen Hu
    TechNet Community Support

  • Since applying Feb 2013 Sharepoint 2010 CUs - Critical event log entries for Blob cache and missing images

    Hi,
    Since applying the February 2013 SharePoint 2010 updates, we are getting lots of entries in our event logs along the following:
    Content Management     Publishing Cache         
    5538     Critical 
    An error occurred in the blob cache.  The exception message was 'The system cannot find the file specified. (Exception from HRESULT: 0x80070002)’
    In pretty much all of these cases the image/ file in question that is reported in the ULS logs as missing is not actually in the collaboration site, master page / html etc so the fix needs to go back to the site owner to make the correction to avoid
    the 404 (if they make it!). This has only started happening, I believe since feb 2013 sp2010 cumulative updates updates
    I didn’t see this mentioned as a change / in the Fix list of the February updates. i.e. it flags up a critical error in our event logs. So with a lot of sites and a lot of missing images your event log can quickly fill up.
    Obviously you can suppress them in the monitoring -> web content management ->publishing cache = none & none which is not ideal.
    So my question is... are others seeing this and was a change made by Microsoft to flag a 404 missing image / file up a critical error in event log when blob cache is enabled?
    If i log this with MS they will just say, you need to fix it up the missing files in the site but would be nice to know this had changed prior! I also deleted and recreated the blob cache and this made no diffference
    thanks
    Brad

    I'm facing the same error on our SharePoint 2013 farm. We are on Aug 2013 CU and if the Dec CU (which is supposed to be the latest) doesn't solve it then what else could be done.
    Some users started getting the message "Server is busy now try again later" with a corelation id. I looked up ULS with that corelation id and found these two errors in addition to hundreds of "Micro Trace Tags (none)" and "forced
    due to logging gap":
    "GetFileFromUrl: FileNotFoundException when attempting get file Url /favicon.ico The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
    "Error in blob cache. System.IO.FileNotFoundException: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
    "Unable to cache URL /FAVICON.ICO.  File was not found" 
    Looks like this is a bug and MS hasn't fixed it in Dec CU..
    &quot;The opinions expressed here represent my own and not those of anybody else&quot;

  • Microsoft Word generates excessive console log entries

    Since upgrading to MS Word 14.3.0 yesterday my console is filled with entries such as:
    31/1-13 9:49:53.645 AM Microsoft Word[2569]: Menu: 0x7ec5b050 Item: 12 Info:
    31/1-13 9:49:53.645 AM Microsoft Word[2569]:  Text:                              Paste Cells
    31/1-13 9:49:53.645 AM Microsoft Word[2569]:  Mark:                              <none>
    31/1-13 9:49:53.645 AM Microsoft Word[2569]:  Cmd Key:                     C (0x43)
    31/1-13 9:49:53.645 AM Microsoft Word[2569]:  Icon:                              <none>
    31/1-13 9:49:53.645 AM Microsoft Word[2569]:  Style Normal
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Command ID:            22 (0x00000016)
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Modifiers:             0x0E
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Icon Type:             0, Icon Handle: 0x0
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Text Encoding:   4294967294 (0xFFFFFFFE)
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Hierarchical ID: 0 (0x0000)
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Font:                              0 Lucida Grande
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  RefCon:                      0 (0x0)
    31/1-13 9:49:53.646 AM Microsoft Word[2569]:  Key Glyph:             0 (0x0000)
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Enabled?:                    Yes
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Icon Enabled?:   Yes
    31/1-13 9:49:53.647 AM Microsoft Word[2569]: Menu: 0x7ec5b050 Item: 12 Info:
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Text:                              Paste Cells
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Mark:                              <none>
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Cmd Key:                     C (0x43)
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Icon:                              <none>
    31/1-13 9:49:53.647 AM Microsoft Word[2569]:  Style Normal
    31/1-13 9:49:53.648 AM Microsoft Word[2569]:  Command ID:            22 (0x00000016)
    31/1-13 9:49:53.648 AM Microsoft Word[2569]:  Modifiers:             0x0E
    31/1-13 9:49:53.648 AM Microsoft Word[2569]:  Icon Type:             0, Icon Handle: 0x0
    Am I the only one?
    Microsoft's support site does not provide any clues.
    Any thoughts?
    Peter

    Hi Peter, Dear all:
    My console shows about 100 of the following messages per minute
    2013-01-31 2:05:59.871 PM Microsoft Word[4332]: bind_window_backing: cannot map backing data shmem
    2013-01-31 2:05:59.871 PM Microsoft Word[4332]: _CGSLockWindow: Unable to lock window
    Besides that and since I upgraded to 14.3.0 two days ago, MS Word has crashed on me about 30 times (editing a plain simple text only document with track changes) and I've tons of problems with Word's GUI. I have submitted a couple feedback messages describing the problems to MS.
    Realizing this is not the perfect place for this topic note that I have not found any statements from MS re problems with 14.3.0 yet and this is the first discussion I am aware of that recognizes a potential issue with the recent upgrade. My intent is merely to generate some momentum, so please contact MS if you do have problems with 14.3.0 - thanks!

  • Log Entries for T001W

    The table T001w(Plant Table) has LOG CHANGES ticked in the technical settings. Can i know where will it be stored as in whihc LOG table and how the search ley would be formed.

    Hi,
    U can get the log changes through  Tcode SCU3.
    Or u can go to CDHDR/CDPOS tables , where all the changes for that table are recorded.
    Regards,
    Naveen

  • WATERMARK log entries

    Hi guys,
    by any chance you might know what are IPC-WATERMARK/ICC-WATERMARK log messages, I googled, everything points to the fact that they are cosmetic, which is not the case, as SIP-400 stops passing traffic, sometimes even directly connected, until box is completely reloaded, module reload does not help. Router is ISG terminating a few K PPPoE sessions, and is one of the anycast RP's, for the access plant. Without reload it causes massive outage 1-2 hours. 
    Entries keep on logging, even after multicast sources were stopped.
    Any input would be much appreciated.
    Thank you,
    Elnur

    Hi,
    I checked my lab, and saw that only incident's log entries is sorted by date:
    Log entries for SR and Problem are not sorted:
    And this is hard-coded, if you want to sort them by date, we should click Date Time.
    Regards,
    Yan Li
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Windowserver log entries: kCGErrorIllegalArgument:

    I'm a newbie to Mac & OS X - I'm seeing lots of entries (sample below) in the log which I don't understand.
    Any help appreciated.
    Dec 09 11:18:23 [55] kCGErrorIllegalArgument: CGXSetWindowListTags: Operation on a window 0x2 not owned by caller SecurityAgent
    Dec 09 11:18:23 [55] kCGErrorIllegalArgument: Set a breakpoint at CGErrorBreakpoint() to catch errors as they are returned
    Dec 09 11:18:23 [55] kCGErrorIllegalArgument: CGXOrderWindow: Operation on a window 0x2 not owned by caller SecurityAgent
    Dec 09 11:29:53 [55] kCGErrorIllegalArgument: CGXSetWindowListTags: Operation on a window 0x6 not owned by caller SystemUIServer
    Dec 09 11:44:49 [55] kCGErrorIllegalArgument: CGXSetWindowListTags: Operation on a window 0x6 not owned by caller Tunnelblick

    Hi,
    I checked my lab, and saw that only incident's log entries is sorted by date:
    Log entries for SR and Problem are not sorted:
    And this is hard-coded, if you want to sort them by date, we should click Date Time.
    Regards,
    Yan Li
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Log Entries not sorted in Problem work items

    We have noticed that the Log Entries in all Problem work items appear to be randomly sorted. You can manually sort them by clicking on the column headers.
    Log entries for Service Request and Incident work items are sorted by Created date as default which I guess is how most people would want them.  Has anyone else noticed this or can this be configured locally somehow?
    Thanks

    Hi,
    I checked my lab, and saw that only incident's log entries is sorted by date:
    Log entries for SR and Problem are not sorted:
    And this is hard-coded, if you want to sort them by date, we should click Date Time.
    Regards,
    Yan Li
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Logbook - Log Entry

    When I attempt to make a log entry for a FLoc / Equip, message is returned - "Internal Number Range Not Maintained".  Where is this number range maintained?

    Hi,
    Go to SNRO tcode and select the following object, LBK_LGE     Number Range intervals for Log Entry ID and maintain the number range for log book entry.
    Regards,
    N.Nagaraju
    Edited by: nandipati nagaraju on Nov 16, 2009 5:48 AM

  • Equipment Log Entry Validation

    Hi,
    I am doing log entry for equipment like Breakdown, idle, maint. working hrs, shift hrs etc.... through IK22 but i want to validate it for 24 hrs, means all additions of breakdown, maint., working , idle hrs has to be 24 hrs.
    How can i do this suggest me if it can be.
    Thanks in advance,
    Vishal

    When measuring point updation for working hrs counter system take counter reading more than 24 hrs in one day. i want to avoid it till. it shouldnt take more than 24 hrs.
    Thanks,
    Vishal

  • Excessive log entries with buffalo linkstation

    Hi all,
    I am getting excessive log entries on my MacBook Pro (OS 10.6.7) that appear to be related to my Buffalo LinkStation HD-CELU2 external drive. This drive is connected to my Airport Extreme (latest firmware) via USB and acts as my iTunes (10.2.2) library, which also serves as the music source for a Sonos digital music system. A sample of the log entries follow:
    4/18/11 8:15:22 PM    com.apple.launchd[1]    (jp.buffalo.NASPower) Throttling respawn: Will start in 60 seconds
    4/18/11 8:15:39 PM    com.apple.launchd.peruser.501[131]    (jp.buffalo.NASPower[6798]) posix_spawn("/Library/PrivilegedHelperTools/NasNavigator2.app/Contents/MacOS/Na sNavigator2", ...): No such file or directory
    4/18/11 8:15:39 PM    com.apple.launchd.peruser.501[131]    (jp.buffalo.NASPower[6798]) Exited with exit code: 1
    4/18/11 8:15:39 PM    com.apple.launchd.peruser.501[131]    (jp.buffalo.NASPower) Throttling respawn: Will start in 60 seconds
    It says that a file isn't found, and that could be because I uninstalled NASNavigator in an attempt to get rid of these extraneous log entries. Uninstalling the software seems to have only resulted in changing the messages (to "no such file"), not reducing or ending them.
    This log entry is constant; it occurs even when the computer has no need to access the Buffalo hard drive. It makes it very hard to diagnose any other issues because it both clutters the log and causes it to only recall a couple of hours worth of log info.
    Thanks in advance!

    Ho everyone, just registered as I have a Bold 9900 and am considering a Playbook with the new OS2.  Does anyone know whether I will be able to get it to talk to my Buffalo Linkstation.  think its a Pro Duo 2 and is about 2-3 years old.

  • New Archived log entry in alert log after cpu patch 19 applied

    Has anyone applied October critical patch for 11.1.0.7? I applied the cpu Patch 19 (8892977) for 11.1.0.7 on several windows2008 servers and after the patch the alert log displays a new message everytime a redo log transfers. This only happens on servers that have archivelog on. It looks like there is some kind of trace set. Anyone know know what the message is?
    Thanks,
    Kathie
    Archived Log entry 10937 added for thread 1 sequence 10938 ID 0xa96e3908 dest 10:

    Hi Mark!
    Yes, Oracle informed me that this message is normal and is only used for formational purposes. I should just ignore it.
    Did you apply patch19? I have also found issues with a high amount of "waits" of type of "other". Some jobs are running slightly slower also. Also, if you check your "database health link" on dbconsole home page you will see consistant "non-critical" alerts. I don't have these alerts on servers not yet patched. This alerts appear to be caused by wait events of "other".
    Kathie

Maybe you are looking for

  • Extremely slow wireless printing with HP Photosmart Premium C309g-m

    I'm seeing extremely slow print speeds when printing wirelessly from a Mac or a Windows XP system to a new HP Photosmart Premium C309g-m printer. The printer begins printing immediately when I request a print, but it only prints one line. It will the

  • Will Most Windows Peripherals work with the MAC Pro?

    Im considering getting a MAC Pro... Unfortunately, I just invested on 2 PCI-E graphics cards (256 MB each)... will they work with the MAC Pro? Will apple sell me a MAC Pro with little options?

  • How do I shrink an Adobe file?

    How do I shrink an Adobe file.  It's too large to send.

  • Magic Trackpad text input

    Hi I've been using my trackpad sort of like a remote control while watching movies etc on my Mac. I was wondering if there is any way to input simple text using the trackpad when the keyboard is out of reach. I have seen a few things that come close

  • Problem in only one account

    *The "E" key does not work.* The strange thing is: *the problem is only on the "Lawrence" account.* We have: 1) Swapped out the keyboard. 2) Swapped out the USB extender 3) Removed the power connection for 1 min then replaced and re-booted 4) Swapped