UFW AUDIT logged into kern.log

Asked by Ken Ulrich on 2016-06-20

Hello,

I know that I can disable the logging the kern.log/dmesg file, but that is not what I want. I want to enable full logging, and all log entries go to the /var/log/ufw.log file.

However, I am still seeing UFW AUDIT being sent to the kern.log.

I created the following entry in the /etc/rsyslog.d/50-default.conf

# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log
:msg,contains,"[UFW AUDIT]" /var/log/ufw.log

I've removed the "20-.." file that UFW automatically created from the equation as well.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Last query:
2016-06-29
Last reply:
2016-06-29
Ken Ulrich (ulrichkenneth) said : #2

actionparsnip (andrew-woodhead666)

That stops the UFW AUDIT from being logged in the kern.log which is half of what I want. I want the UFW AUDITs to be redirected to the ufw.log file...

Again,

I know that I can disable the logging the kern.log/dmesg file, but that is not what I want. I want to enable full logging, and all log entries go to the /var/log/ufw.log file.

I want ALL "UFW *" entries in the ufw.log file.. I want the UFW AUDIT entries to be redirected to the ufw.log.. Not stopped being logged.

Manfred Hampl (m-hampl) said : #3

Which Ubuntu release are you running (uname -a; lsb_release -crid)?
Which version of ufw are you running (apt-cache policy ufw)?
What is the status of uwf logging (sudo ufw status verbose)?
In which log file do you currently receive ufw messages, in /var/log/syslog or /var/log/ufw.log or both?

Ken Ulrich (ulrichkenneth) said : #4

Manfred,

I apologize for the long delay. I had some civil matters I had to deal with. Below are your answers.

1. uname -a; lsb_release -crid
Linux storage 4.4.0-24-generic #43-Ubuntu SMP Wed Jun 8 19:27:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

2. apt-cache policy ufw
ufw:
  Installed: 0.35-0ubuntu2
  Candidate: 0.35-0ubuntu2
  Version table:
 *** 0.35-0ubuntu2 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status

3. sudo ufw status verbose
Status: active
Logging: Full
Default: deny (incoming), allow (outgoing)

4. I have the following in the /etc/rsyslog.d/50-default.conf file. The UFW AUDIT are still being logged in the /var/log/syslog, while any other UFW entry is being sent to the /var/log/ufw.log. Can the UFW AUDIT be moved to the /var/log/ufw.log?

# Log kernel generated UFW log messages to file
:msg,contains,"[UFW *" /var/log/ufw.log
:msg,contains,"[UFW AUDIT]" /var/log/ufw.log
:msg,contains,"[UFW AUDIT] IN=" /var/log/ufw.log

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log

Manfred Hampl (m-hampl) said : #5

According to documentation on the web the following lines in /etc/rsyslog.d/50-default.conf should care for sending all ufw messages to ufw.log and drop them from syslog:

:msg, contains, “UFW” -/var/log/ufw.log
& ~

Ken Ulrich (ulrichkenneth) said : #6

The "& ~" command will stop it from logging the Syslog, but it still won't redirect to the /var/log/ufw.log like I want it to.. It just stops all UFW AUDITs from being logged(which is not what I want).

If this is more of an issue with the rsyslog service, I can see about writing a script that will correct it.

I'm not sure how UFW/Rsyslog core service is design to only send the UFW AUDITs to the syslog, but there got to be a way to redevelop it to move where the entries go.

Manfred Hampl (m-hampl) said : #7

I do not understand why the documented way (adding an ufw rule ending with "& ~") would not work for your system, but works everywhere else.

I recommend that you restore /etc/rsyslog.d/50-default.conf and /etc/rsyslog.d/20-ufw.conf to their standard values.
Apply any changes to 50-default.comf as required for you, but do not put anything for ufw into it.
Edit 20-uwf.conf and uncomment the "& ~" line.
And then restart the syslog demon.

Can you help with this problem?

Provide an answer of your own, or ask Ken Ulrich for more information if necessary.

To post a message you must log in.