Is there a way to keep UFW logging out of dmesg?

Question

There are comments in the /etc/rsyslog.d/20-ufw.conf file that give you the option to keep UFW-events from being logged to the kernel and message logs, which i have done.

I would really like to get UFW-events out of the dmesg as well, but how to accomplish that?

score 42 · Answer 1 · edited Oct 29 '19 at 21:08

You can disable UFW logging with following command from shell:

sudo ufw logging off

Default loglevel is low. From UFW man page:

off disables ufw managed logging
low logs all blocked packets not matching the default policy (with rate limiting), as well as packets matching logged rules
medium log level low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections. All logging is done with rate limiting.
high log level medium (without rate limiting), plus all packets with rate limiting
full log level high without rate limiting

You can get current log level with sudo ufw status verbose.

score 16 · Answer 2 · edited Jun 11 '12 at 02:47

I have done some investigation into this issue.

I don't believe there is a way around this.

The dmesg command directly prints the contents of the Kernel Ring Buffer. This contains all the ufw log entries that you are seeing.

The /etc/rsyslog.d/20-ufw.conf file is telling rsyslog which of the ufw entries in the Kernel Ring Buffer to log to either the /var/log/ufw.log or /var/log/kern.log.

You can prevent the ufw entries from being logged to /var/log/kern.log (to remove duplication) by uncommenting the line in /etc/rsyslog.d/20-ufw.conf that contains & ~.

Unfortunately there is no way to prevent the dmesg command from displaying these messages. Your work around is the best I can come up with.

score 6 · Answer 3 · edited Jun 11 '12 at 07:08

6

For people who would like to fine tune the log level further, I suggest using 'log' or reject/deny rules (see the ufw man page for details). For exampe, you can use 'logging off' and then insert explicit logging rules for what you want to log. Alternatively, you can use 'logging low' and then insert explicit deny/reject rules to quietly deny matches that would otherwise be logged.

edited Jun 11 '12 at 07:08

Eliah Kagan

119,640

answered Jun 11 '12 at 00:40

Anuser

61

score 3 · Answer 4 · edited Oct 29 '19 at 23:44

The above answer is the only way:

    dmesg | grep -v UFW

But you can use this more easily, by setting an alias like this:

    alias dmesg='dmesg | grep -v UFW'

This will execute dmesg | grep -v UFW if you enter dmesg.

If you want to keep the colorful version of dmesg, you can use the following command:

    alias dmesg='dmesg --color=always | grep -v UFW --color=always'

This way dmesg use colors over the pipe too.

WARNING! Only use this method while viewing logs and searching for something, because this might break some 3rd party scripts in that session.

score 3 · Answer 5 · edited Oct 29 '19 at 21:06

3

You could also just use grep to filter out the UFW messages. For instance,

dmesg | grep -v UFW

This way you can also keep the logging for reviewing.

edited Oct 29 '19 at 21:06

Pablo Bianchi

17,371

answered Jan 03 '18 at 16:05

carmichel

39

ferdymercury · Answer 6 · 2021-04-30T10:18:14.627

0

To get rid of the warnings, you can also block the IPs explicitly in case you are sure they are malicious, see UFW BLOCK entries in the log

It uses the command sudo ufw deny from XXX to YYY so that those IPS cannot ping or ssh your server. The script in the link above parses all those malicious IPs from the syslog.

edited Apr 30 '21 at 10:18

answered Apr 30 '21 at 01:05

ferdymercury

145

Is there a way to keep UFW logging out of dmesg?

6 Answers6

Linked