Which UFW messages can logcheck safely ignore?
Logcheck currently sends lots of emails with messages like this
Jun 6 19:31:44 <hostname> kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<mac-address> SRC=<source-ip> DST=<destination-ip> LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=28729 DF PROTO=TCP SPT=56681 DPT=80 WINDOW=16652 RES=0x00 ACK FIN URGP=0
According to this Q&A this packet is blocked because it is optional.
Is it reasonable to have the following /etc/logcheck/ignore.d.server/ufw
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[UFW BLOCK\].*ACK FIN.*
Solution 1:
In my personal opinion logcheck is worthless and should be disabled (the signal-to-noise ratio is so abysmally low, and the work required to shut it up is so extensive, that it's just better to kill it).
If you don't share that opinion, then you can generally ignore all ufw messages.
(Your ignore pattern certainly seems reasonable to me.)
You don't need to be notified that your firewall is dropping traffic.
If you're having trouble with network communications you should be smart enough to look at the firewall logs yourself. Beyond that you should be testing your firewall when you configure it to ensure that it allows what you tell it to allow, and drops everything else. Monitoring its logs after that is really superfluous.
Solution 2:
Your problem here is probably not logcheck, but that you have logging enabled in ufw at all ( disable it with sudo ufw logging off
).
I think that it's most appropriate to toggle logging on when you're debugging (e.g. during initial setup of ufw and if you encounter a problem) and then have it off at all other times for performance and simplicity. So not a problem with logcheck at all, just an issue with a specific type of log being turned on.