A firewall is critical to the security of your linux system. This is a tutorial to enable UFW (Uncomplicated Firewall) logging and read the logs.
For UFW logging to work, rsyslog must be enabled. Check to see if it is running:
sudo systemctl status rsyslog
If rsyslog is not running, enable the service for it:
sudo systemctl start rsyslog
Then, check if UFW logging is enabled or disabled:
sudo ufw status verbose
If logging is disabled, you can enable it by running:
sudo ufw logging on
There are five different logging levels:
- Off: No managed logging.
- On (low): Logs all blocked or allowed packets by defined policies.
- On (medium): Same as above, and additionally, it includes packets not matching policies.
- On (High): Logs all rate-limiting and without rate limiting.
- On (Full): Logs all packets without rate limiting.
If you want to change the logging level to something else, for example medium, run the following command:
sudo ufw logging medium
Usually, logs are stored under the directory /var/log/. To list the UFW logs:
sudo ls /var/log/ufw*;
To read all logs without parameters:
sudo less /var/log/ufw*
To read the last log entries:
sudo tail -f /var/log/ufw.log
Here’s what the various fields mean:
- IN= Device for incoming traffic
- OUT= Device for outgoing traffic
- MAC= Device’s MAC address
- SRC= Source IP address
- DST= Destination IP address
- LEN= Packet’s length
- PREC= Precedence Type of Service
- TTL= Time To Live.
- ID= Unique ID for the IP datagram, shared by fragments of same packet
- PROTO= Protocol used
- SPT= Source port
- DPT= Destination port
Leave a Reply