I enabled UFW on an Ubuntu server recently and started getting all manner of stuff in my logwatch reports. It activated a section called 'iptables' and started logging every line in syslog with [UFW BLOCK] in it. It was marginally interesting, but not really worth the space devoted to it, so I decided to write a little script to parse the UFW log and summarise the top Blocked Hosts and top Blocked Ports. Therefore I could easily see if there was a change in pattern.