Disable UFW BLOCK messages in syslog on Ubuntu
ufw a firewall on Ubuntu works great, except for logging too verbose into the syslog.
$ less /var/log/syslog Jun 2 00:00:56 legendiary kernel: [147272.918975] [UFW BLOCK] IN=eth0 OUT= MAC=96:00:00:37:5b:55:d2:bc:7f:6e:34:e3:a3:00 SRC=126.96.36.199 DST=188.8.131.52 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=57817 PROTO=TCP SPT=56036 DPT=60429 WINDOW=1024 RES=0x00 SYN URGP=0
This can hide essential information in the syslog, and is redundant information too since the logging also happens in
Solution: Configure rsyslog log message patterns
/etc/rsyslog.d/20-ufw.conf and uncomment the last line, leaving
& stop there. This prevents the message from being logged into the syslog too.
$ vim /etc/rsyslog.d/20-ufw.conf # Log kernel generated UFW log messages to file :msg,contains,"[UFW " /var/log/ufw.log # Uncomment the following to stop logging anything that matches the last rule. # Doing this will stop logging kernel generated UFW log messages to the file # normally containing kern.* messages (eg, /var/log/kern.log) & stop
rsyslog service afterward.
$ systemctl restart rsyslog