28

Is there a way I can easily redirect the entries for UFW to their own log file at /var/log/ufw instead of filling up /var/log/syslog as it's becoming tricky to find solutions to problems with all this UFW stuff flying past me?

markrich
  • 1,390
  • 3
  • 16
  • 27

5 Answers5

25

In Ubuntu 15.10 and Debian Jessie there is a file /etc/rsyslog.d/20-ufw.conf. It contains at the bottom # & ~. Remove the # in front of it to uncomment it and refresh rsyslog with the command /etc/init.d/rsyslog restart so that it takes in account the configuration change.

chmike
  • 722
  • 11
  • 21
14

I'm running Ubuntu 14.04 as well. In my /etc/rsyslog.d/ there's a file 20-ufw.conf which has the following line:

:msg,contains,"[UFW " /var/log/ufw.log

What I've done is delete that file, and at the top of 50-default.conf I added the following:

:msg,contains,"[UFW " /var/log/ufw.log
& stop

Restart rsyslog with sudo service rsyslog restart and your UFW logs should be put into their own file and not into any other.

Ackis
  • 198
  • 2
  • 3
  • 14
  • 12
    why not just edit `20-ufw.conf` and add the stop command there? In fact, it already has a template that can be uncommented, and it seems to work fine in my quick test. – HRJ Dec 04 '14 at 13:49
  • @HRJ Personal preference? The 20-ufw.conf file only has a few lines of text, most of which are comments. I felt it wasn't necessary for its own config file. Your suggestion accomplishes the same thing really - it's the `:msg,contains,"[UFW " /var/log/ufw.log` that needs to be modified/stopped. – Ackis Dec 05 '14 at 15:21
6

ufw uses rsyslog for logging to /var/log/syslog or /var/log/messages:

To change the log file, edit /etc/rsyslog.d/50-default.conf and to the top add:

:msg, contains, "UFW" -/var/log/ufw.log
& ~

This will log all data that contains "UFW" to /var/log/ufw.log will prevent further processing of such data.

carnendil
  • 5,421
  • 2
  • 30
  • 55
jobin
  • 27,142
  • 16
  • 100
  • 116
  • While ufw.log does now contain entries with your commands, syslog still receives messages. – markrich Apr 21 '14 at 14:55
  • Yes but syslog does report problems with your commands. – markrich Apr 21 '14 at 15:05
  • error during parsing file /etc/rsyslog.d/50-default.conf, on or before line 1: invalid character '~' - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] Apr 21 15:58:41 markys-home-pc rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ] – markrich Apr 21 '14 at 15:07
  • I did copy and paste. Same error. – markrich Apr 21 '14 at 16:39
  • The log has stopped accepting UFW commands on mass, however one or two are still sneaking through. It's better now however the depreciation error still exists. – markrich Apr 21 '14 at 16:43
  • @markrich: Not sure why the bug is still there, most likely you are using rsyslog 7(since you are on 14.04) and the bug you talk about has been fixed in version 5: http://www.rsyslog.com/changelog-for-5-6-5-v5-stable/. Unsure what to do with the error message :/ – jobin Apr 21 '14 at 17:04
6

On 16.04 just comment out the last line in this file so that it reads

$ tail -1 /etc/rsyslog.d/20-ufw.conf 
& stop

and restart rsyslog

$ sudo systemctl restart rsyslog

from now on, ufw logs will be in /var/log/ufw.log and not anymore in /var/log/syslog

Ante Gabrielssen
  • 196
  • 1
  • 3
1

I cannot post a comment yet with my reputation, hence posting a separate response.

chmike's answer still works for Ubuntu 20.04 (with a slight change). Basically

go to /etc/rsyslog.d/20-ufw.conf
Uncomment the last line: # & stop (i.e. delete #)
then restart rsyslog (i.e. /etc/init.d/rsyslog restart)
Dr Phil
  • 131
  • 5