Is there a way I can easily redirect the entries for UFW to their own log file at /var/log/ufw instead of filling up /var/log/syslog as it's becoming tricky to find solutions to problems with all this UFW stuff flying past me?


I'm running Ubuntu 14.04 as well. In my /etc/rsyslog.d/ there's a file 20-ufw.conf which has the following line:

:msg,contains,"[UFW " /var/log/ufw.log

What I've done is delete that file, and at the top of 50-default.conf I added the following:

:msg,contains,"[UFW " /var/log/ufw.log
& stop

Restart rsyslog with sudo service rsyslog restart and your UFW logs should be put into their own file and not into any other.


In Ubuntu 15.10 and Debian Jessie there is a file /etc/rsyslog.d/20-ufw.conf. It contains at the bottom # & ~. Remove the # in front of it to uncomment it and refresh rsyslog with the command /etc/init.d/rsyslog restart so that it takes in account the configuration change.


ufw uses rsyslog for logging to /var/log/syslog or /var/log/messages:

To change the log file, edit /etc/rsyslog.d/50-default.conf and to the top add:

:msg, contains, "UFW" -/var/log/ufw.log  & ~  

This will log all data that contains "UFW" to /var/log/ufw.log will prevent further processing of such data.


On 16.04 just comment out the last line in this file so that it reads

$ tail -1 /etc/rsyslog.d/20-ufw.conf   & stop  

and restart rsyslog

$ sudo systemctl restart rsyslog  

from now on, ufw logs will be in /var/log/ufw.log and not anymore in /var/log/syslog

