UFW (Uncomplicated Firewall) is a simple, easy to use and powerful Firewall in Linux, especially Debian/ Ubuntu systems. It is very easy to use and setup firewall rules in UFW. Here is our detailed article about configuring UFW rules. In this article, we will look at how to check UFW log & status. Just like any other firewall, UFW also keeps a log of all requests and actions taken. But it also allows you to enable/disable logging, as well as set the level of detail to be captured during logging.
How to Check UFW Log & Status
Open terminal and run the following command to check if logging is enabled or not on your system.
$ sudo ufw status verbose ... logging : off ...
If the value of logging flag is off, then it means logging is disabled for UFW on your system.
In that case, run the following command to enable it.
$ sudo ufw logging on
Now if you check logging status, you will see that it is enabled.
$ sudo ufw status verbose ... logging : on (low) ...
In the above case, you will find that logging flag is set to on (low). UFW supports 5 levels of logging.
- Off: No managed logging.
- On (low): Logs all blocked or allowed packets by policies.
- On (medium): Same as above, but includes packets not matching policies.
- On (High): Logs all rate-limiting and without rate limiting packets.
- On (Full): Logs all packets without rate limiting.
So if you want to change UFW logging to medium, then mention medium keyword after logging command.
$ sudo ufw logging medium
UFW logs are present in /var/log directory. You can use ls command to list all the log files created by ufw.
$ sudo ls /var/log/ufw* /var/log/uwf.log /var/log/uwf.log.1 /var/log/uwf.log.2
You can open any log file with less command.
$ sudo less /var/log/ufw/log
The above command will show pagewise display of packet logs. Here is what each field in it stands for.
- IN= Device for incoming traffic.
- OUT= Device for outgoing traffic.
- MAC= Device’s MAC address.
- SRC= Connection source IP address.
- DST= Destination IP address of a connection.
- LEN= Packet’s length.
- TOS= (Type of Service) Packet classification, it is deprecated.
- PREC= Precedence Type of Service.
- TTL= Time To Live.
- ID= Unique ID for the IP datagram, shared by fragments of the same packet.
- PROTO= Used protocol.
- SPT – Source port
- DPT – Destination port
If you only want to view recent records, use tail command
$ sudo tail -f /var/log/ufw.log
You may also use grep command to filter ufw related entries in
$ grep -i ufw /var/log/syslog $ grep -i ufw /var/log/messages $ grep -i ufw /var/log/kern.log
In this article, we have learnt how to enable UFW logging. Please note, for UFW logging to work, rsyslog must be running. You can check its status with following command.
$ sudo service rsyslog status
UFW is a very convenient and fast command line interface for iptables in Linux. As you can see it allows you to easily configure the logging verbosity and provides detailed report about connections. It is a great tool that allows network administrators to quickly setup monitoring mechanism to watch network traffic and secure their system. Many users configure UFW but forget to enable logging. Hopefully, this article will help you get benefits of UFW logging features.