Logwatch with RegEx Filter UFW Monitoring

General
,
1

I am looking to monitor ufw.log file for successful connections to ports that have been designated for specific IP address(es) only. From what I surmise in viewing the logs it will require multiple regex conditions. Here are the data values from logs I think will work:

IN=eth0 DPT=22 SRC=10.10.10.10

Interface (IN) inbound
DestPort (22) ssh
Source (10.10.10.10) will need to negate/exclude the expected IP address(es) so triggers from unknown IPs.

I wish there was a more straight forward way to capture this simply from a security concern, but UFW logging does not agree.

2

something like this ???

/var/log/ufw.log

# --- SSH (Port 22) - Whitelist: 10.10.10.10 ---
# Match any IP on port 22 (with boundaries)
W IN=\S+.*DPT=22\b.*SRC=(\d{1,3}\.){3}\d{1,3}\b
# Downgrade exact whitelisted IP to INFO
I IN=\S+.*DPT=22\b.*SRC=10\.10\.10\.10\b

# --- HTTPS Admin (Port 8443) - Whitelist: 192.168.1.0/24 ---
W IN=\S+.*DPT=8443\b.*SRC=(\d{1,3}\.){3}\d{1,3}\b
I IN=\S+.*DPT=8443\b.*SRC=192\.168\.1\.\d{1,3}\b

# --- MySQL (Port 3306) - Whitelist: localhost + 10.10.10.0/24 ---
W IN=\S+.*DPT=3306\b.*SRC=(\d{1,3}\.){3}\d{1,3}\b
I IN=\S+.*DPT=3306\b.*SRC=127\.0\.0\.1\b
I IN=\S+.*DPT=3306\b.*SRC=10\.10\.10\.\d{1,3}\b

# --- Port 21 (FTP) - Ignore completely ---
I IN=\S+.*DPT=21\b
Pattern Tester 
#!/bin/bash
# Test your patterns
# QUICK TEST SCRIPT
# =================================================================

TEST_LINES=(
    "IN=eth0 DPT=22 SRC=10.10.10.10"
    "IN=eth0 DPT=22 SRC=100.10.10.10"
    "IN=eth2 DPT=22 SRC=10.10.10.10"
    "IN=eth2 DPT=22 SRC=10.10.100.10"
    "IN=eth2 DPT=22 SRC=10.100.10.10"
    "IN=eth2 DPT=21 SRC=10.10.10.10"
)

PATTERN_ALL='DPT=22\b.*SRC=(\d{1,3}\.){3}\d{1,3}\b'
PATTERN_WHITELIST='DPT=22\b.*SRC=10\.10\.10\.10\b'

echo "=== Testing Pattern: Match ALL port 22 ==="
for line in "${TEST_LINES[@]}"; do
    if echo "$line" | grep -qP "$PATTERN_ALL"; then
        echo "✓ MATCH: $line"
    else
        echo "✗ NO MATCH: $line"
    fi
done

echo ""
echo "=== Testing Pattern: Match ONLY 10.10.10.10 ==="
for line in "${TEST_LINES[@]}"; do
    if echo "$line" | grep -qP "$PATTERN_WHITELIST"; then
        echo "✓ MATCH: $line"
    else
        echo "✗ NO MATCH: $line"
    fi
done

regex101: build, test, and debug regex

Greetz Bernd