ubuntu

Disable UFW BLOCK messages in syslog on Ubuntu

Michael Friedrich

Jun 2, 2022 • 1 min read

ufw a firewall on Ubuntu works great, except for logging too verbose into the syslog.

$ less /var/log/syslog

Jun  2 00:00:56 legendiary kernel: [147272.918975] [UFW BLOCK] IN=eth0 OUT= MAC=96:00:00:37:5b:55:d2:bc:7f:6e:34:e3:a3:00 SRC=197.156.74.19 DST=78.47.77.78 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=57817 PROTO=TCP SPT=56036 DPT=60429 WINDOW=1024 RES=0x00 SYN URGP=0

This can hide essential information in the syslog, and is redundant information too since the logging also happens in /var/log/ufw.log

Solution: Configure rsyslog log message patterns

Edit /etc/rsyslog.d/20-ufw.conf and uncomment the last line, leaving & stop there. This prevents the message from being logged into the syslog too.

$ vim /etc/rsyslog.d/20-ufw.conf

# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
& stop

Restart the rsyslog service afterward.

$ systemctl restart rsyslog