Is there a way I can easily redirect the entries for UFW to their own log file at /var/log/ufw instead of filling up /var/log/syslog as it's becoming tricky to find solutions to problems with all this UFW stuff flying past me?
Asked
Active
Viewed 2.5k times
5 Answers
26
In Ubuntu 15.10 and Debian Jessie there is a file /etc/rsyslog.d/20-ufw.conf. It contains at the bottom # & ~. Remove the # in front of it to uncomment it and refresh rsyslog with the command /etc/init.d/rsyslog restart so that it takes in account the configuration change.
chmike
- 1,014
14
I'm running Ubuntu 14.04 as well. In my /etc/rsyslog.d/ there's a file 20-ufw.conf which has the following line:
:msg,contains,"[UFW " /var/log/ufw.log
What I've done is delete that file, and at the top of 50-default.conf I added the following:
:msg,contains,"[UFW " /var/log/ufw.log
& stop
Restart rsyslog with sudo service rsyslog restart and your UFW logs should be put into their own file and not into any other.
Ackis
- 307
- 2
- 4
- 14
7
ufw uses rsyslog for logging to /var/log/syslog or /var/log/messages:
To change the log file, edit /etc/rsyslog.d/50-default.conf and to the top add:
:msg, contains, "UFW" -/var/log/ufw.log
& ~
This will log all data that contains "UFW" to /var/log/ufw.log will prevent further processing of such data.
6
On 16.04 just comment out the last line in this file so that it reads
$ tail -1 /etc/rsyslog.d/20-ufw.conf
& stop
and restart rsyslog
$ sudo systemctl restart rsyslog
from now on, ufw logs will be in /var/log/ufw.log and not anymore in /var/log/syslog
Ante Gabrielssen
- 306
1
I cannot post a comment yet with my reputation, hence posting a separate response.
chmike's answer still works for Ubuntu 20.04 (with a slight change). Basically
go to /etc/rsyslog.d/20-ufw.conf
Uncomment the last line: # & stop (i.e. delete #)
then restart rsyslog (i.e. /etc/init.d/rsyslog restart)
Dr Phil
- 151