ufw.log missing?

**#&thj^%** · December 27th, 2017

Originally Posted by g3kxyz

I see the following in nano /etc/rsyslog.d/20-ufw.conf

Code:

# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log


# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& stop

Ok Great try with this then add to the bottom:

Code:

tail -1 /etc/rsyslog.d/20-ufw.conf 
& stop

Then restart rsyslog:

Code:

sudo systemctl restart rsyslog

And now they should be in /var/log/ufw.log and not in /var/log/syslog anymore

**g3kxyz** · December 27th, 2017

Added it exactly as you said

nano /etc/rsyslog.d/20-ufw.conf

Code:

# Log kernel generated UFW log messages to file:msg,contains,"[UFW " /var/log/ufw.log


# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& stop


$ tail -1 /etc/rsyslog.d/20-ufw.conf
& stop

restarted with

Code:

sudo systemctl restart rsyslog

but now I see this in /var/log/syslog

Code:

Dec 27 15:18:20 apollo systemd[1]: Starting System Logging Service...
Dec 27 15:18:20 apollo rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ]
Dec 27 15:18:20 apollo systemd[1]: Started System Logging Service.
Dec 27 15:18:20 apollo rsyslogd-2007: action 'action 11' suspended, next retry is Wed Dec 27 15:18:50 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Dec 27 15:18:20 apollo rsyslogd-3003: invalid or yet-unknown config file command 'KLogPermitNonKernelFacility' - have you forgotten to load a module? [v8.16.0 try http://www.rsyslog.com/e/3003 ]
Dec 27 15:18:20 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: invalid character '$' - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:20 apollo rsyslogd-2184: action 'tail' treated as ':omusrmsg:tail' - please use ':omusrmsg:tail' syntax instead, 'tail' will not be supported in the future [v8.16.0 try http://www.rsyslog.com/e/2184 ]
Dec 27 15:18:20 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: warnings occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:20 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:20 apollo rsyslogd: rsyslogd's groupid changed to 111
Dec 27 15:18:20 apollo rsyslogd: rsyslogd's userid changed to 106
Dec 27 15:18:38 apollo rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="4719" x-info="http://www.rsyslog.com"] exiting on signal 15.
Dec 27 15:18:38 apollo rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="4726" x-info="http://www.rsyslog.com"] start
Dec 27 15:18:38 apollo rsyslogd-3003: invalid or yet-unknown config file command 'KLogPermitNonKernelFacility' - have you forgotten to load a module? [v8.16.0 try http://www.rsyslog.com/e/3003 ]
Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: invalid character '$' - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:38 apollo rsyslogd-2184: action 'tail' treated as ':omusrmsg:tail' - please use ':omusrmsg:tail' syntax instead, 'tail' will not be supported in the future [v8.16.0 try http://www.rsyslog.com/e/2184 ]
Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: warnings occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:38 apollo rsyslogd: rsyslogd's groupid changed to 111
Dec 27 15:18:38 apollo rsyslogd: rsyslogd's userid changed to 106

if I do this at term # /var/log# grep ufw syslog

it gives me this below

Code:

Dec 26 19:40:25 apollo ufw-init[52]: modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/2.6.32-042stab126.1/modules.dep.bin'
Dec 26 19:40:25 apollo ufw-init[52]: modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/2.6.32-042stab126.1
Dec 26 19:40:25 apollo ufw-init[52]: modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/2.6.32-042stab126.1/modules.dep.bin'
Dec 26 19:40:25 apollo ufw-init[52]: modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/2.6.32-042stab126.1
Dec 26 19:40:25 apollo ufw-init[52]: modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/2.6.32-042stab126.1/modules.dep.bin'
Dec 26 19:40:25 apollo ufw-init[52]: modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/2.6.32-042stab126.1
Dec 26 19:40:25 apollo ufw-init[52]: sysctl: permission denied on key 'net.ipv4.tcp_sack'
Dec 27 15:18:20 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: invalid character '$' - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:20 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: warnings occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:20 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: invalid character '$' - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: warnings occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:23:10 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: warnings occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Dec 27 15:23:10 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/20-ufw.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]

**g3kxyz** · December 27th, 2017

Something tells me it hasn't been logging [UFW in the /var/log/syslog file either because I can't find any traces of it there.

**g3kxyz** · December 27th, 2017

I found the [UFW BLOCK] logs by typing dmesg in terminal so for some reason they are logging to dmesg instead.

I'm not exactly sure how to change this logging behavior.

**#&thj^%** · December 27th, 2017

Something is syntactically wrong with the mentioned config file, so that further interpretation is impossible. The error most often actually is on the quoted line, or at least very close in front of it. A syntax error can be caused by invalid spelling of RainerScript commands, e.g. "stopp" instead of the correct "stop".
But yours looks good from here?
Hope you kept that terminal open lets try this instead then remove those 2 lines and instead add this to the Top this time:

Code:

:msg, contains, "UFW" -/var/log/ufw.log
& ~

you already have this ":msg,contains,"[UFW " /var/log/ufw.log"
Just a:

Code:

& ~

Save and restart:

Code:

sudo systemctl restart rsyslog

Now look at all data that contains "UFW" in /var/log/ufw.log

**QIII** · December 27th, 2017

I think the issue is here:

Code:

Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: invalid character '$' - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]

Try replacing

Code:

$ tail -1 /etc/rsyslog.d/20-ufw.conf

in 20-ufw.conf with

Code:

tail -1 /etc/rsyslog.d/20-ufw.conf

Let us know if that helps.

**g3kxyz** · December 27th, 2017

Now the file looks like this

Code:

# Log kernel generated UFW log messages to file:msg,contains,"[UFW " /var/log/ufw.log
& ~


# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#:msg, contains, "UFW" -/var/log/ufw.log


#& stop

restarted rsyslog

No change in /var/log

Code:

root@apollo:/var/log# ls
alternatives.log  apt       btmp             dmesg     faillog         fsck     mail.log  php7.0-fpm.log  syslog      wtmp
apache2           auth.log  dbconfig-common  dpkg.log  fontconfig.log  lastlog  mysql     samba           vsftpd.log

Still see a ton of [UFW BLOCK] in dmesg. My guess is iptables is doing the logging.

**#&thj^%** · December 27th, 2017

Originally Posted by QIII

I think the issue is here:

Code:

Dec 27 15:18:38 apollo rsyslogd-2207: error during parsing file /etc/rsyslog.d/20-ufw.conf, on or before line 9: invalid character '$' - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]

Try replacing

Code:

$ tail -1 /etc/rsyslog.d/20-ufw.conf

in 20-ufw.conf with

Code:

tail -1 /etc/rsyslog.d/20-ufw.conf

Let us know if that helps.

Good Spot QIII +1
I tell ya I'm going Blind...LOL

Originally Posted by g3kxyz

Now the file looks like this

Code:

# Log kernel generated UFW log messages to file:msg,contains,"[UFW " /var/log/ufw.log
& ~


# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#:msg, contains, "UFW" -/var/log/ufw.log


#& stop

restarted rsyslog

No change in /var/log

Code:

root@apollo:/var/log# ls
alternatives.log  apt       btmp             dmesg     faillog         fsck     mail.log  php7.0-fpm.log  syslog      wtmp
apache2           auth.log  dbconfig-common  dpkg.log  fontconfig.log  lastlog  mysql     samba           vsftpd.log

Still see a ton of [UFW BLOCK] in dmesg. My guess is iptables is doing the logging.

Yep that to be expected wrong syntax should look like this:

Code:

:msg, contains, "UFW" -/var/log/ufw.log
& ~

But try with the new syntax QIII picked out!

**g3kxyz** · December 27th, 2017

right now 20-ufw.conf contains the following

Code:

# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log


# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)


tail -1 /etc/rsyslog.d/20-ufw.conf
& stop

is that what u want me to try?

**#&thj^%** · December 27th, 2017

Yes Please.

Thread: ufw.log missing?

Thread Tools

Display

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Re: ufw.log missing?

Bookmarks

Bookmarks

Posting Permissions