Ufw logs disappeared, explanations?

ScrambledEggs

Member
Joined
Sep 26, 2020
Messages
35
Reaction score
7
Credits
388
So I've been making it a habit of checking my logs on a daily basis to familiarize myself with what is normal so I can hopefully spot suspicious activity. Well last night after browsing the world wide web for hours and hours I decided to cd into my logs to see what they were talking about (auth.log, syslog, kern.log, ufw.log, dmesg, wtmp, etc) Well, I noticed alot of activity in my ufw.log, syslog, and I believe auth.log as well. When I was checking my logs, I got extremely tired so I decided to take care of the situation after I got some rest. Once rested, I go back to my computer, and cd straight into ufw.log but it was EMPTY. In my log directory I have 2 ufw.log files (ufw.log and ufw.log.1). The ufw.log.1 contains logs dated Feb 1st to Feb 6th. The ufw.log held the logs for Feb 7th and Feb 8th. Can someone give me an explanation as to why those particular logs from ufw.log disappeared? The text file is present but the contents are missing when I know they were there several hours before. I think someone tunneled in and setup shop in my box, but I'm keeping my fingers crossed that all is well.
 


If you are logging, but there are no /var/log/ufw* files, check to see if rsyslog is running:
Code:
sudo service rsyslog status
. If it does not show that it is running you can try to start the service:
Code:
sudo service rsyslog restart
if rsyslog is running, ufw is logging, and there are still no logs files, search through common log files for any mention of UFW. For example:
Code:
grep -i ufw /var/log/syslog
and
Code:
grep -i ufw /var/log/messages
as well as
Code:
grep -i ufw /var/log/kern.log
Also make sure logging is on
Code:
sudo ufw logging on
 
Last edited by a moderator:
Thank you for your response Expirion

#The input for 'sudo service rsyslog status' was:

rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-02-09 13:06:38 CST; 20min ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 963 (rsyslogd)
Tasks: 4 (limit: 19020)
Memory: 3.5M
CGroup: /system.slice/rsyslog.service
└─963 /usr/sbin/rsyslogd -n -iNONE

Feb 09 13:06:38 YourNameHere systemd[1]: Starting System Logging Service...
Feb 09 13:06:38 YourNameHere rsyslogd[963]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8>
Feb 09 13:06:38 YourNameHere systemd[1]: Started System Logging Service.
Feb 09 13:06:38 YourNameHere rsyslogd[963]: rsyslogd's groupid changed to 110
Feb 09 13:06:38 YourNameHere rsyslogd[963]: rsyslogd's userid changed to 104
Feb 09 13:06:38 YourNameHere rsyslogd[963]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="963" x-info="https://www.rsysl>
Feb 09 13:06:39 YourNameHere rsyslogd[963]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="963" x-info="https:/


vendor preset: enabled)
0min ago

Service...
IX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2001.0]
ervice.
anged to 110
nged to 104
slogd" swVersion="8.2001.0" x-pid="963" x-info="https://www.rsyslog.com"] start
slogd" swVersion="8.2001.0" x-pid="963" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
~
2001.0]

g.com"] start
g.com"] rsyslogd was HUPed

(I used command ' sudo service rsyslog restart' just to be sure it has been restarted and is indeed active)
________________________________________________________________________________
#The output for command 'grep -i ufw /var/log/syslog' was nothing.
________________________________________________________________________________
#The output for command 'grep -i ufw /var/log/messages' was:

grep: /var/log/messages: No such file or directory
________________________________________________________________________________
#The output for command 'grep -i ufw /var/log/kern.log' was nothing.
________________________________________________________________________________
#The output for command ' sudo ufw logging on' was:

Logging enabled
________________________________________________________________________________
Does the output for 'sudo service rsyslog status' look normal? I ask because of the "rsyslogd was HUPed" part which I recall seeing in the log files.
 

Members online


Latest posts

Top