How to Check UFW Firewall Log

By

A firewall is critical to the security of your linux system. This is a tutorial to enable UFW (Uncomplicated Firewall) logging and read the logs.

For UFW logging to work, rsyslog must be enabled. Check to see if it is running:

sudo systemctl status rsyslog

If rsyslog is not running, enable the service for it:

sudo systemctl start rsyslog

Then, check if UFW logging is enabled or disabled:

sudo ufw status verbose

If  logging is disabled, you can enable it by running:

sudo ufw logging on

There are five different logging levels:

  • Off: No managed logging.
  • On (low): Logs all blocked or allowed packets by defined policies.
  • On (medium): Same as above, and additionally, it includes packets not matching policies.
  • On (High): Logs all rate-limiting and without rate limiting.
  • On (Full): Logs all packets without rate limiting.

If you want to change the logging level to something else, for example medium, run the following command:

sudo ufw logging medium

Usually, logs are stored under the directory /var/log/. To list the UFW logs:

sudo ls /var/log/ufw*;

To read all logs without parameters:

sudo less /var/log/ufw*

To read the last log entries:

sudo tail -f /var/log/ufw.log

Here’s what the various fields mean:

  • IN=  Device for incoming traffic
  • OUT= Device for outgoing traffic
  • MAC= Device’s MAC address
  • SRC= Source IP address
  • DST= Destination IP address
  • LEN= Packet’s length
  • PREC= Precedence Type of Service
  • TTL= Time To Live.
  • ID= Unique ID for the IP datagram, shared by fragments of same packet
  • PROTO= Protocol used
  • SPT= Source port
  • DPT= Destination port

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.