3

I've recently built a server and decided to use UFW for the first time. I was investigating a possible connection issue (turns out it was their end) but I noticed that the logs are full of entries saying that traffic was blocked on port 80 and port 443 - rather worrying for a web server. Checking ufw status confirms that all traffic on these ports is allowed - additionally, we haven't had anyone report problems connecting to the server.

I found this other question: UFW logs blocked request on open port, what am I missing? - it set my mind at ease, but I'd prefer to be able to not have these "FIN ACK" messages in my logs so I can discern legitimate entries more clearly.

Other than simply piping through grep, is it possible to selectively filter entry into the log from a UFW config setting?

Community
  • 1
HorusKol
  • 751
  • 5
  • 13
  • 31
  • `ufw status`??? – quanta Aug 30 '12 at 07:19
  • @quanta if you mean "what ports does ufw status say are blocked or open", I've edited my question to include more details. otherwise, could you perhaps be more detailed? – HorusKol Aug 31 '12 at 13:25
  • I'm afraid that you can't do it with UFW. Are you considering using rsyslog/syslog-ng to filter the log? – quanta Aug 31 '12 at 15:17

1 Answers1

0

If you use an external logging solution such as Papertrail, you can reg-ex this out of the logs that you are notified about.

We faced the same issue where we were notified about unnecessary ACK FIN messages. As we use Papertrail to send us UFW blocked logs every morning by email, there was a lot of noise. So we filtered it, and voila!

kouton
  • 189
  • 1
  • 9