[UFW BLOCK] messages in syslog – how to get rid of them?
The UFW – Uncomplicated Firewall gets more and more popular. It is good because the better the servers are secured, the better is the security in general. However, UFW users may notice that their syslog
is getting big and there is a ton of [UFW BLOCK]
messages.
These messages are generated by the firewall when the block occurred. Some of the details of the connection are populated in there, to pinpoint (for example) the IP number of the “attacker”. The problem is that sometimes even computers in our own office or home network can generate such messages when trying to check the server connection.
These messages are typically also stored in the /var/log/ufw.log
so there is no need to duplicate them in the syslog.
The typical modern installation of Linux and UFW contains also rsyslogd
which is handling logging. We need to adjust the configuration of rsyslogd for UFW. The configuration file is located typically in /etc/rsyslog.d/20-ufw.conf
and contains something like:
# Log kernel generated UFW log messages to file :msg,contains,"[UFW " /var/log/ufw.log # Uncomment the following to stop logging anything that matches the last rule. # Doing this will stop logging kernel generated UFW log messages to the file # normally containing kern.* messages (eg, /var/log/kern.log) # & stop
There is only one change needed – you should uncomment the last line of the file. However, I like to add one more thing – a dash before the name of the file. This additional change turns off the immediate file synchronization. This means that the changes to the file are written in batches instead of immediate. It causes a smaller number of disk writes and since this log is not crucial, it is safe.
So, the file contents after the change should look like:
# Log kernel generated UFW log messages to file :msg,contains,"[UFW " -/var/log/ufw.log # Uncomment the following to stop logging anything that matches the last rule. # Doing this will stop logging kernel generated UFW log messages to the file # normally containing kern.* messages (eg, /var/log/kern.log) & stop
sudo systemctl restart rsyslog