Ubuntu
ufw package

How can I log the UID in UFW log file permanently?

Asked by Steffen Ewert

I have here a debian 10 with installed UFW. I want to know the user or uid of the processes of the connections which are logged by UFW. To log the UID I have add ``--log-uid`` to the log rules in ``/etc/ufw/user.rules``:

    ### LOGGING ###
    -A ufw-after-logging-input -j LOG --log-uid --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -A ufw-after-logging-output -j LOG --log-uid --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -A ufw-after-logging-forward -j LOG --log-uid --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-uid --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10
    -A ufw-logging-deny -j LOG --log-uid --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -A ufw-logging-allow -j LOG --log-uid --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
    -I ufw-before-logging-input -j LOG --log-uid --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10
    -I ufw-before-logging-output -j LOG --log-uid --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10
    -I ufw-before-logging-forward -j LOG --log-uid --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10
    ### END LOGGING ###

If I restart ufw (``systemctl restart ufw``) and look into the ``/etc/ufw/user.rules`` my added ``--log-uid`` are still there. But after a while this option will be removed automatically and the UFW log output don't contains the UID. So my question is: What is the correct way to add the ``--log-uid`` permanently?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

Maybe https://serverfault.com/questions/198398/ubuntu-how-to-add-an-iptables-rule-that-ufw-cant-create helps.

Remark: This is support for Ubuntu only, not for other operating systems like Debian or Linux Mint.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

Please use the Debian forum for Debian issues

Revision history for this message
Steffen Ewert (stewert72) said : 		#3

Oh, sorry! This forum page is linked from https://answers.launchpad.net/ufw (under "Answers"). Also https://github.com/jbq/ufw#readme references to a Ubuntu page (first link in the README section). So I thought this is the official UFW forum. I'll keep looking...

@Manfred: Thanks for the hint. I know the site. Adding the LOG rules into before.rule or after.rule wasn't helpful. I might play around with it a little more

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

Apparently the global ufw project is (mis-)using the Ubuntu area for answer tracking ("ufw questions are tracked in: ufw in Ubuntu.")
Sorry, I was not aware of that. This makes your request valid.

Remark: https://github.com/jbq/ufw seems to be very outdated (last change 10 years ago) and has version 0.31.1 whilst the current one is 0.36. I assume the current version for Debian is here: https://sources.debian.org/src/ufw/

Can you help with this problem?

Provide an answer of your own, or ask Steffen Ewert for more information if necessary.

To post a message you must log in.