UFW is not logging how do I troubleshoot?

Question

I have set logging to high.

I am not seeing any log messages.

I do see the empty ufw.log file.

No messages in dmesg

score 9 · Answer 1 · edited Apr 23 '22 at 21:18

The log files are in /var/log/. To get a list of UFW related logs run the following at the command line:

ls /var/log/ufw*

Your results should appear like this:

$ ls /var/log/ufw*
/var/log/ufw.log    /var/log/ufw.log.2.gz  /var/log/ufw.log.4.gz
/var/log/ufw.log.1  /var/log/ufw.log.3.gz

If you do not have logs there you may want to double check the status and settings for UFW.

sudo ufw status verbose

You should get a result like this:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

If logging is off then you need to turn it on by running the following command:

sudo ufw logging low

If you do not have any log files then you can check to see if rsyslogd is running by typing:

sudo service rsyslog status

You should get a result as follows:

$ sudo service rsyslog status
rsyslog start/running, process 991

If it does not show that it is running you can try to start the service:

sudo service rsyslog restart

score 5 · Answer 2 · edited Sep 13 '12 at 14:33

5

last time i checked the log file for ufw it was in the

/var/log/ufw.log

folder, with a lot of other files

edited Sep 13 '12 at 14:33

Jorge Castro

73,717

answered Mar 16 '12 at 08:38

blade19899

26,994

score 3 · Answer 3 · answered Jul 29 '17 at 07:53

Just to add to @cprofitt's answer, I had an issue where UFW was showing:

sudo ufw status verbose
Status: active
Logging: on (low)

But it was not logging. I went through several gyrations, including disable/re-enabling ufw. Checking rsyslog conf, restarting rsyslog. All without any positive results. Still nothing going to the logfile.

I did a sudo ufw logging low and logs started growing once again. So ufw was obviously in some state where it would not write to the logs.

score 2 · Answer 4 · edited Apr 23 '22 at 21:20

@Carlo Wood, the gentleman who after 8 years still did not get this resolved.

touch /var/log/ufw.log

Cycle ufw for good measure and/or adjust perms in the file. Additionally, as mentioned above, do 'ufw status medium' (or whatever) to confirm it's logging now, and then adjust if you want more or less.

Let me know if it's working. I had the same problem, but was able to fix it in minutes after reading this thread and doing what i mentioned in this post.

Note to developer: (if they should see this). on fresh installation of ubuntu 20.04 the /var/log/ufw.log doesn't exist. this problem is easily fixed and won't see issues about it if ufw.log is simply created as part of the OS installation process. my thought is it was either overlooked, or was not low enough lying fruit... either way i have seen this issue before and it's always solved by 'touch /var/log/ufw.log'

Update: I realized I was assuming too much. /var/log/ufw.log should be created on enabling of ufw (as opposed to mega kludge above on creating at OS installation time.

score 0 · Answer 5 · edited Dec 16 '20 at 00:03

I had the same problem. In my case, none of the above suggestions was helpful. I could resolve the issue in the way described on Stackoverflow: https://stackoverflow.com/questions/42374494/ubuntu-16-ufw-not-logging-in-var-log-ufw-log-neither-another-location/42388079#42388079.

To make things easier:

Edit /etc/rsyslog.conf
uncomment line: module(load="imklog") # provides kernel logging support
Then, sudo service rsyslog restart

Logging like a charm since then.

Grant BlahaErath · Answer 6 · 2022-04-23T21:37:27.147

If you installed Ubuntu server minimal you will get something that responds to the ufw command, but it is missing all of its configuration in /etc/ufw. Until I executed apt install ufw, the log entries were directed to /var/log/syslog.

I also installed rsyslog as one of the answers here in this thread recommend, but it didn't help me that much until I restarted rsyslog AFTER installing ufw properly. Why? In /etc/rsyslog.d/ you might see a ufw conf file (mine was named 20-ufw.conf) that splits out the UFW messages into their own file. Since that file wasn't put there in the minimal install, all entries end up in syslog. After doing the ufw install, restarting rsyslog causes it to read the configuration and start putting entries into /var/log/ufw.log

Once I did that, all the things discussed about ufw out on the internet and in this thread started working. Pretty frustrating, but I did install minimal!

Here are some links to the 20.04 ufw man pages. Your favorite search providers might not list them in your results. Reading these really helped me figure out what was happening.

https://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html https://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html

I hope this helps.

score 0 · Answer 7 · answered Aug 03 '17 at 07:11

0

I deleted the empty /var/log/ufw.log file, restarted and ufw began logging.

answered Aug 03 '17 at 07:11

Gordon

1

UFW is not logging how do I troubleshoot?

7 Answers7

Linked