Logging is generally not enabled with ufw by default because the files can get very big, very quickly. That said, if you would like to enable the logs, you can do so like this:
sudo ufw logging on
From here, you'll see ufw.log file in /var/log that rotates with the same schedule as the rest of the files in that directory.
One thing to note is that the logging level is set to low by default. Depending on how verbose you would like the logs to be, you can change the setting like this:
sudo ufw logging medium
The different levels as outlined in the manual:
| Option |
Verbosity |
off |
disables ufw managed logging |
low |
logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching logged rules |
medium |
log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new connections. All logging is done with rate limiting. |
high |
log level medium (without rate limiting), plus all packets with rate limiting |
full |
log level high without rate limiting |
Note that if you do want to keep all of the UFW logs on a heavily-trafficked web server (500+ requests per minute), you will want to ensure /var/log is on a flash-based storage device and ideally has about 20GB of free space with a log shipping plan in place to move rotated logs off the machine.
