UFW logs allow users to check for incoming and outgoing packets which also include origin, destination, used protocol, and many other critical details that are crucial for network security.

Ubuntu comes preinstalled with UFW firewall. It supports logging, of course. But you may not have it enabled by default.

Check the firewall status like this:

sudo ufw status verbose

Did you notice the Logging: off in the second line of the output? That means that logging has not been activated yet.

And if you get the same output as mine, you can enable firewall logging by the following command:

sudo ufw logging on

Since you have enabled the UFW firewall logging, you can check the firewall logs using the given command:

sudo less /var/log/ufw.log

And if you are curious to learn more about firewall logging including various levels of logging (you get low by default) and the meaning of each line in the log, you can refer to the given guide.

Cloud Backup: Easy, Secure Online Backup - Backblaze

Never lose a photo, video, or file again. Cloud backup made easy and automatic. Backblaze unlimited online backup for $7 per month.

Backblaze

Check UFW Firewall logs in Ubuntu

The UFW firewall logs are located at /var/log/ufw.log meaning, you can use various ways to check the logs.

Using tail command

The tail command by default will print the last 10 lines of a specified file but when used with -f option, it will update UFW logs and will get you live coverage of logs:

tail -f /var/log/ufw.log

Using less command

The less command is used when you have to read the file containing hundreds or even thousands of lines and in that case, the less command is useful.

You can use the given command to check UFW firewall logs using the less command:

less /var/log/ufw.log

Using the grep command

The grep command is generally used to filter specific data from a file. And you will find the UFW firewall logs in the system and kernel logs too.

So you can use either of the two commands to check UFW firewall logs using the grep command:

grep -i ufw /var/log/syslog

grep -i ufw /var/log/kern.log

Now, let's skip to the explanation part. And I will start with different levels of logging.

Meaning of the various logging levels in the UFW firewall

By default, the Logging level will be locked at the low level:

Including the low level, there are other 4 levels of firewall making it total 5 levels.

So let's have a look at what different levels of UFW logging offers:

• off: Logging turned off meaning absolutely no information.
• low: Contains logs related to blocked packets that do not match firewall rules as well as packets matching logged rules.
  You can define logging rules for UFW (which I will show you later in this guide) and it is known as logged rules.
• medium: In addition to the low level, you get all the invalid packets, new connections, and logging is done through rate limiting.
• high: logs packets with and without rate limiting.
• full: Same as high level but does not include rate limiting.

And to change your default/current level of logging, you just have to use the given command structure:

sudo ufw logging logging_level

So if I want to change my logging level to the medium level, I'd have to use the given command:

sudo ufw logging medium

Add UFW log rule

As I mentioned earlier, you can add a log rule to monitor specific services.

It is quite easy and can be done using the following command syntax:

sudo ufw allow log service_name

For example, if I want to log every SSH connection, I will have to use the given command:

sudo ufw allow log 22/tcp

Scheduled Snapshots, Database and Application for and all providers - SnapShooter

Take up to hourly backup and snapshots for DigitalOcean and all providers. Scheduled and simple, allowing fast recovery

SnapShooter

Interpret UFW Firewall logs

When you look at UFW logs, it will show you the following output:

Now, let me break it done the log word by word.

• Nov 29 05:18:24 Learnubuntu kernel: [   10.575808]: Shows date, time hostname (Learnubuntu in my case), and kernel time since boot.
• [UFW BLOCK]: Most of the users will only see the UFW BLOCK as by default the logging is locked at a low level and will only indicate the blocked packages.
  This means UFW BLOCK will show the packages which were against the UFW rules.
  But if you are using different levels of logging or added logging rules, you might see different outputs. As I added SSH to the logging rule, it showed me [UFW ALLOW]:

• IN =ens33: Here, IN indicated to the network interface (mine is ens33) from which the packet has arrived.
• OUT: If this contains value means there was an outgoing event. But for me, it was blank which means there was no outgoing.
• MAC=00:0c:29:71:06:82:8c:b8:7e:b7:f7:46:08:00: Shows the combination of source and destination MAC address.
• SRC=192.168.1.7: The IP address of source, indicates the origin of the package.
• DST=192.168.1.8: The IP address of the packet's destination (should be your machine's IP).
• LEN=60: Length of the packet. Mine is showing 60 bytes.
• TOS=0x10: Indicates the type of service. 0x10 is hexadecimal used to indicate runtime service.
• PREC=0x00: Shows the precedence type of service.
• TTL=64: TTL (Time To Live). Which explains how long the package will bounce until it expires if no destination is specified.
• ID=34608: Indicates the unique ID for the IP datagram that will be shared by the fragments of the same packet.
• DF: Do not fragment the flag of TCP.
• PROTO=TCP: Used protocol for the transmission of packets. Mine is TCP.
• SPT=42874: Indicates the source port of the package.
• DPT=22: Shows the destination port of the package.
• WINDOW=64240: TCP window size.
• RES=0x00: Shows reserved bits.
• SYN URGP=0: Here, the SYN flag indicates the attempt to make a new connection but is equal to 0 means the attempt was blocked.

Wrapping Up

In this guide, I went through enabling and checking UFW firewall logs. I hope this guide will be helpful in your next network troubleshooting.

Please let me know if you have any queries or suggestions in the comments.