Ubuntu Logging – Where Are the Logs for UFW Located on Ubuntu Server?

linuxloggingUbuntuufw

I have an Ubuntu server where I am blocking some IPs with ufw. I enabled logging, but I don't know where to find the logs. Where might the logs be or why might ufw not be logging?

Best Answer

Perform sudo ufw status verbose to see if you're even logging in the first place. If you're not, perform sudo ufw logging on if it isn't. If it is logging, check /var/log/ for files starting with ufw. For example, sudo ls /var/log/ufw*

If you are logging, but there are no /var/log/ufw* files, check to see if rsyslog is running: sudo service rsyslog status. If rsyslog is running, ufw is logging, and there are still no logs files, search through common log files for any mention of UFW. For example: grep -i ufw /var/log/syslog and grep -i ufw /var/log/messages as well as grep -i ufw /var/log/kern.log.

If you find a ton of ufw messages in the syslog, messages, and kern.log file, then rsyslog might need to be told to log all UFW messages to a separate file. Add a line to the top of /etc/rsyslog.d/50-default.conf that says the following two lines:

:msg, contains, “UFW” -/var/log/ufw.log
& ~

And you should then have a ufw.log file that contains all ufw messages!

NOTE:

Check the 50-default.conf file for pre-existing configurations.

Make sure to backup the file before saving edits!

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Ubuntu – the Tomcat Logs

Very late to this discussion, but it appears that the 03catalina.policy file in both tomcat5.5 & tomcat6 doesn't actually permit writing to logfiles.

The simplest solution is to change the JULI permissions to:

// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.security.AllPermission;
};

Obviously, there may be security issues I'm not aware of, but I really can't be bothered to dig deeper - I've spent too long on this myself.

Best Answer

NOTE:

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Ubuntu – the Tomcat Logs

Related Topic