UFW (Uncomplicated Firewall) utilizes Linux's kernel logging subsystem. When enabled, UFW writes logs through the kernel's netfilter framework, which typically routes them to one of these locations:
/var/log/ufw.log
/var/log/kern.log
/var/log/syslog
Before checking log files, confirm logging is active:
sudo ufw status verbose | grep Logging
Expected output: Logging: on (low|medium|high)
The primary log file locations with example log entries:
1. Dedicated UFW Log (if configured)
[UFW BLOCK] IN=eth0 OUT= MAC=XX:XX:XX:XX:XX SRC=192.168.1.100 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=12345 PROTO=TCP SPT=54321 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0
2. Kernel Log
sudo grep -i ufw /var/log/kern.log
3. System Log
sudo grep -i ufw /var/log/syslog
To create a dedicated UFW log file:
# Create rsyslog config
sudo nano /etc/rsyslog.d/20-ufw.conf
# Add these lines:
:msg, contains, "[UFW " /var/log/ufw.log
& stop
# Restart services
sudo systemctl restart rsyslog
sudo ufw reload
If logs aren't appearing:
# Check kernel parameters
sudo sysctl net.netfilter.nf_log_all_netns
# Verify rsyslog is running
sudo systemctl status rsyslog
# Test logging level
sudo ufw logging medium
Sample command to extract blocked connections:
sudo awk '/UFW BLOCK/ && !/DPT=22/{print $12}' /var/log/ufw.log | cut -d= -f2 | sort | uniq -c | sort -n
This shows blocked ports (excluding SSH) and their frequency.
Ensure logrotate is configured for UFW logs:
# Check existing config
ls /etc/logrotate.d/*ufw*
If missing, create configuration to prevent log files from growing indefinitely.
UFW (Uncomplicated Firewall) uses Linux's kernel logging subsystem. By default, it logs to /var/log/ufw.log, but this depends on your rsyslog configuration. The logging level is controlled by UFW's configuration file.
First verify if logging is enabled and where it's configured:
sudo ufw status verbose
# Look for "Logging: on"Then check rsyslog configuration:
grep -r "ufw" /etc/rsyslog.*
# Or check specific files
cat /etc/rsyslog.d/20-ufw.conf # Common locationThese are the most likely locations:
/var/log/ufw.log(default)/var/log/syslog/var/log/kern.log/var/log/messages
If logging isn't enabled:
sudo ufw logging on
# Set log level (low, medium, high, full)
sudo ufw logging mediumTo direct UFW logs to a specific file:
# Create new rsyslog config
echo ':msg, contains, "[UFW]" /var/log/ufw.log' | sudo tee /etc/rsyslog.d/20-ufw.conf
# Restart services
sudo systemctl restart rsyslog
sudo ufw reloadExample log entry format:
Jan 1 12:00:00 server kernel: [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=1.2.3.4 DST=5.6.7.8 ...Useful commands for log analysis:
# Show recent blocks
sudo grep "UFW BLOCK" /var/log/ufw.log | tail -n 20
# Count blocked IPs
sudo grep "UFW BLOCK" /var/log/ufw.log | awk '{print $12}' | sort | uniq -c | sort -nIf logs aren't appearing:
- Verify rsyslog is running:
systemctl status rsyslog - Check disk space:
df -h - Verify kernel logging:
dmesg | grep UFW - Test with explicit blocking:
sudo ufw deny from 1.1.1.1