UFW is not logging how do I troubleshoot?

Question

I have set logging to high.

I am not seeing any log messages.

I do see the empty ufw.log file.

No messages in dmesg

Check this in the terminal "Sudo Ufw status" if the yfw is enabled you may have a problem with loging events — Prasad RD, Mar 16 '12 at 09:09
status says: logging high, so ufw thinks logging is set correctly. Any clues on how I can proceed? — sureshvv, Mar 16 '12 at 09:41
if any of these answers "answered" your question please accept one of them :) — blade19899, Jul 11 '12 at 16:03
8 years later.... Still no logging. How the $%!@$ is the maintainer of this sh1t? And no, nothing of the below helped me. There is no `/var/log/ufw*`, there is nothing in syslog, changing log level doesn't make a difference. — Carlo Wood, Apr 12 '20 at 11:28

score 9 · Answer 1 · edited Apr 23 '22 at 21:18

The log files are in /var/log/. To get a list of UFW related logs run the following at the command line:

ls /var/log/ufw*

Your results should appear like this:

$ ls /var/log/ufw*
/var/log/ufw.log    /var/log/ufw.log.2.gz  /var/log/ufw.log.4.gz
/var/log/ufw.log.1  /var/log/ufw.log.3.gz

If you do not have logs there you may want to double check the status and settings for UFW.

sudo ufw status verbose

You should get a result like this:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

If logging is off then you need to turn it on by running the following command:

sudo ufw logging low

If you do not have any log files then you can check to see if rsyslogd is running by typing:

sudo service rsyslog status

You should get a result as follows:

$ sudo service rsyslog status
rsyslog start/running, process 991

If it does not show that it is running you can try to start the service:

sudo service rsyslog restart

rsyslog was running. I restarted. logging level already set to high. Still no joy! ufw.log is empty. What events are logged? Will attempt to access any port that has a DENY rule be logged? — sureshvv, Mar 17 '12 at 03:03

score 5 · Answer 2 · edited Sep 13 '12 at 14:33

5

last time i checked the log file for ufw it was in the

/var/log/ufw.log

folder, with a lot of other files

edited Sep 13 '12 at 14:33

Jorge Castro

70,934
124
466
653

answered Mar 16 '12 at 08:38

blade19899

26,496
21
113
177

/var/log/ufw.log is an empty file - not a folder for me – sureshvv Mar 16 '12 at 08:40
No, what he mentioned there is the log folder!. Anyone knows it isn't a folder if it ends with an extension :-) – Prasad RD Mar 16 '12 at 09:47
2

not true of the .d extension...and it's a 1 rep asker...so maybe not 'Anyone' – RobotHumans Mar 16 '12 at 09:55
1

Sorry then, that is the far as i know – Prasad RD Mar 16 '12 at 10:12

score 2 · Answer 3 · answered Jul 29 '17 at 07:53

2

Just to add to @cprofitt's answer, I had an issue where UFW was showing:

sudo ufw status verbose
Status: active
Logging: on (low)

But it was not logging. I went through several gyrations, including disable/re-enabling ufw. Checking rsyslog conf, restarting rsyslog. All without any positive results. Still nothing going to the logfile.

I did a sudo ufw logging low and logs started growing once again. So ufw was obviously in some state where it would not write to the logs.

answered Jul 29 '17 at 07:53

john

151
2

1

Sorry to bump this, but I also ran into the issue of ufw not logging and a similar solution to this fixed it for me. I had to set `ufw logging` to `medium` in order for it to even generate a ufw.log file. Previously, even with logging low, the file wasn't even being made. Thank you! – gcode Feb 28 '20 at 01:39

score 1 · Answer 4 · edited Apr 23 '22 at 21:20

@Carlo Wood, the gentleman who after 8 years still did not get this resolved.

touch /var/log/ufw.log

Cycle ufw for good measure and/or adjust perms in the file. Additionally, as mentioned above, do 'ufw status medium' (or whatever) to confirm it's logging now, and then adjust if you want more or less.

Let me know if it's working. I had the same problem, but was able to fix it in minutes after reading this thread and doing what i mentioned in this post.

Note to developer: (if they should see this). on fresh installation of ubuntu 20.04 the /var/log/ufw.log doesn't exist. this problem is easily fixed and won't see issues about it if ufw.log is simply created as part of the OS installation process. my thought is it was either overlooked, or was not low enough lying fruit... either way i have seen this issue before and it's always solved by 'touch /var/log/ufw.log'

Update: I realized I was assuming too much. /var/log/ufw.log should be created on enabling of ufw (as opposed to mega kludge above on creating at OS installation time.

ah, my mistake. comment is correct. i made a mistake when i thought it was the original poster. will take more care. still kind of new but as this is turning out to be a great resource will make sure i get original poster/posts accurate. — Ronald Johnson, Nov 20 '20 at 07:03
i was able to fix this issue immediately after reading the entirety of this thread. additionally, the fact that /var/log/ufw.log doesnt exist on new inst of 20.04, does not get created on enabling ufw, might just save someone some time in the future, as it did me. — Ronald Johnson, Nov 21 '20 at 07:00

score 0 · Answer 5 · edited Dec 16 '20 at 00:03

I had the same problem. In my case, none of the above suggestions was helpful. I could resolve the issue in the way described on Stackoverflow: https://stackoverflow.com/questions/42374494/ubuntu-16-ufw-not-logging-in-var-log-ufw-log-neither-another-location/42388079#42388079.

To make things easier:

Edit /etc/rsyslog.conf
uncomment line: module(load="imklog") # provides kernel logging support
Then, sudo service rsyslog restart

Logging like a charm since then.

Grant BlahaErath · Answer 6 · 2022-04-23T21:37:27.147

If you installed Ubuntu server minimal you will get something that responds to the ufw command, but it is missing all of its configuration in /etc/ufw. Until I executed apt install ufw, the log entries were directed to /var/log/syslog.

I also installed rsyslog as one of the answers here in this thread recommend, but it didn't help me that much until I restarted rsyslog AFTER installing ufw properly. Why? In /etc/rsyslog.d/ you might see a ufw conf file (mine was named 20-ufw.conf) that splits out the UFW messages into their own file. Since that file wasn't put there in the minimal install, all entries end up in syslog. After doing the ufw install, restarting rsyslog causes it to read the configuration and start putting entries into /var/log/ufw.log

Once I did that, all the things discussed about ufw out on the internet and in this thread started working. Pretty frustrating, but I did install minimal!

Here are some links to the 20.04 ufw man pages. Your favorite search providers might not list them in your results. Reading these really helped me figure out what was happening.

https://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html https://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html

I hope this helps.

score 0 · Answer 7 · answered Aug 03 '17 at 07:11

0

I deleted the empty /var/log/ufw.log file, restarted and ufw began logging.

answered Aug 03 '17 at 07:11

Gordon

1

UFW is not logging how do I troubleshoot?

7 Answers7

Linked