This tutorial explains how to enable UFW (Uncomplicated Firewall) logging and how to check ufw log on ubuntu linux

 run ufw status verbose option to check if logging is enabled or disabled

sudo ufw status verbose

if logging is disabled (off). then enable logging, run the command below

sudo ufw logging on

check again

sudo ufw status verbose

 if logging is enabled, it should show logging levels, there are different logging levels:

• Off: No managed logging.

• low: Logs all blocked or allowed packets by defined policies.
• medium: Same as above, and additionally, it includes packets not matching policies.
• High: Logs all rate-limiting and without rate limiting.
• Full: Logs all packets without rate limiting.

change loging level by running following commands

e.g medium level logging

sudo ufw logging medium

when logging is enabled, logs should be generated, run following command to check

sudo ls /var/log/ufw*;

if there is no logs, very possible that rsyslog is not installed on the system, run following command to check and install if not exists

systemctl status rsyslog

sudo apt install rsyslog

how to read the log

• IN= incoming traffic.
• OUT= outgoing traffic.
• MAC= MAC address.
• SRC= source IP address.
• DST= destination IP address of a connection.
• LEN=  the packet’s length.
• TOS= Type of Service, used for packet classification
• PREC=  Precedence Type of Service.
• TTL= Time To Live.
• ID= This field shows a unique ID for the IP datagram, which is shared by fragments of the same packet.
• PROTO= used protocol.
• SPT = source port
• DPT = destination port

Other useful commands to check the ufw logs

grep -i ufw /var/log/messages

grep -i ufw /var/log/kern.log

grep -i ufw /var/log/syslog

Links:

https://ubuntu.com/server/docs/security-firewall

if you like this article, please subscribe to the newsletter to get the latest community update

https://blog.productdeploy.com/