Can logging be enabled in FirewallD
I know this is a dated post, but I've been searching for this today, and have found tons of old blogs that attempt to address this issue. For the public, this update from Red Hat should be more available than only to subscribers:
Upgrade to firewalld-0.4.3.2-8.el7 from Errata RHSA-2016:2597
Specify which packets should be logged
firewall-cmd --set-log-denied=<value>
value may be one of: all, unicast, broadcast, multicast, or off
Source: https://access.redhat.com/solutions/1191593
According to this page, the FirewallD logs are at /var/log/firewalld
. To get debug messages, you need to run it with --debug
or --debug=2
.
For logging the traffic blocked by firewalld
, the following approach with rsyslogd
worked for me:
Edit /etc/sysconfig/firewalld
and update the value for LogDenied
to all
(or as required)
LogDenied=all
restart firewalld
sudo systemctl restart firewalld
This typically adds logging rules just before reject/drop rules in the firewall, something like:
LOG all -- anywhere anywhere LOG level warning prefix "IN_drop_DROP: "
LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: "
Create a file named /etc/rsyslog.d/custom_iptables.conf
(note extension is.conf) and add the following statements to it:
:msg,contains,"_DROP" /var/log/iptables.log
:msg,contains,"_REJECT" /var/log/iptables.log
& stop
restart rsyslog
sudo systemctl restart rsyslog
Now the dropped and rejected packets will be logged to /var/log/iptables.log