Locating UFW Firewall Logs on Ubuntu Server: Path Configuration and Troubleshooting


2 views

UFW (Uncomplicated Firewall) utilizes Linux's kernel logging subsystem. When enabled, UFW writes logs through the kernel's netfilter framework, which typically routes them to one of these locations:


/var/log/ufw.log
/var/log/kern.log
/var/log/syslog

Before checking log files, confirm logging is active:


sudo ufw status verbose | grep Logging

Expected output: Logging: on (low|medium|high)

The primary log file locations with example log entries:

1. Dedicated UFW Log (if configured)


[UFW BLOCK] IN=eth0 OUT= MAC=XX:XX:XX:XX:XX SRC=192.168.1.100 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=12345 PROTO=TCP SPT=54321 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0

2. Kernel Log


sudo grep -i ufw /var/log/kern.log

3. System Log


sudo grep -i ufw /var/log/syslog

To create a dedicated UFW log file:


# Create rsyslog config
sudo nano /etc/rsyslog.d/20-ufw.conf

# Add these lines:
:msg, contains, "[UFW " /var/log/ufw.log
& stop

# Restart services
sudo systemctl restart rsyslog
sudo ufw reload

If logs aren't appearing:


# Check kernel parameters
sudo sysctl net.netfilter.nf_log_all_netns

# Verify rsyslog is running
sudo systemctl status rsyslog

# Test logging level
sudo ufw logging medium

Sample command to extract blocked connections:


sudo awk '/UFW BLOCK/ && !/DPT=22/{print $12}' /var/log/ufw.log | cut -d= -f2 | sort | uniq -c | sort -n

This shows blocked ports (excluding SSH) and their frequency.

Ensure logrotate is configured for UFW logs:


# Check existing config
ls /etc/logrotate.d/*ufw*

If missing, create configuration to prevent log files from growing indefinitely.

UFW (Uncomplicated Firewall) uses Linux's kernel logging subsystem. By default, it logs to /var/log/ufw.log, but this depends on your rsyslog configuration. The logging level is controlled by UFW's configuration file.

First verify if logging is enabled and where it's configured:

sudo ufw status verbose
# Look for "Logging: on"

Then check rsyslog configuration:

grep -r "ufw" /etc/rsyslog.*
# Or check specific files
cat /etc/rsyslog.d/20-ufw.conf  # Common location

These are the most likely locations:

  • /var/log/ufw.log (default)
  • /var/log/syslog
  • /var/log/kern.log
  • /var/log/messages

If logging isn't enabled:

sudo ufw logging on
# Set log level (low, medium, high, full)
sudo ufw logging medium

To direct UFW logs to a specific file:

# Create new rsyslog config
echo ':msg, contains, "[UFW]" /var/log/ufw.log' | sudo tee /etc/rsyslog.d/20-ufw.conf

# Restart services
sudo systemctl restart rsyslog
sudo ufw reload

Example log entry format:

Jan 1 12:00:00 server kernel: [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=1.2.3.4 DST=5.6.7.8 ...

Useful commands for log analysis:

# Show recent blocks
sudo grep "UFW BLOCK" /var/log/ufw.log | tail -n 20

# Count blocked IPs
sudo grep "UFW BLOCK" /var/log/ufw.log | awk '{print $12}' | sort | uniq -c | sort -n

If logs aren't appearing:

  1. Verify rsyslog is running: systemctl status rsyslog
  2. Check disk space: df -h
  3. Verify kernel logging: dmesg | grep UFW
  4. Test with explicit blocking: sudo ufw deny from 1.1.1.1