UFW Logs

2022.9.6 2024.9.3 141 1 min

By default, UFW in ubuntu logs blocked packets in 3 different files: /var/log/ufw.log, /var/log/kern.log, and /var/log/syslog.

The UFW package creates the following /etc/rsyslog.d/20-ufw.conf (in ubuntu 22.04):

$ cat /etc/rsyslog.d/20-ufw.conf
# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& stop

To log just in ufw.log but not in kern.log and syslog:

Uncomment (i.e., remove the # in) the & stop line in the /etc/rsyslog.d/20-ufw.conf file
Restart rsyslog:
```
sudo service rsyslog restart 
```

In an ansible playbook for example:

  tasks:
    - name: "Fix rsyslog config to prevent UFW logging in kern.log and syslog"
      ansible.builtin.lineinfile:
        path: "/etc/rsyslog.d/20-ufw.conf"
        regexp: "^#& stop"
        line: "& stop"
        backup: yes
      notify: "Restart rsyslog service"
      tags:
        - syslog-ufw-cfg

  handlers:
    - name: "Restart rsyslog service"
      service:
        name: rsyslog
        state: restarted

References

Remove UFW Block from kern.log and sys.log(serverfault.com)

ufw logs linux ubuntu ansible syslog