Can logging be enabled in FirewallD

I know this is a dated post, but I've been searching for this today, and have found tons of old blogs that attempt to address this issue. For the public, this update from Red Hat should be more available than only to subscribers:

Upgrade to firewalld-0.4.3.2-8.el7 from Errata RHSA-2016:2597

Specify which packets should be logged

firewall-cmd --set-log-denied=<value>

value may be one of: all, unicast, broadcast, multicast, or off

Source: https://access.redhat.com/solutions/1191593


According to this page, the FirewallD logs are at /var/log/firewalld. To get debug messages, you need to run it with --debug or --debug=2.


For logging the traffic blocked by firewalld, the following approach with rsyslogd worked for me:

Edit /etc/sysconfig/firewalld and update the value for LogDenied to all (or as required)

LogDenied=all

restart firewalld

sudo systemctl restart firewalld

This typically adds logging rules just before reject/drop rules in the firewall, something like:

LOG  all  --  anywhere   anywhere  LOG level warning prefix "IN_drop_DROP: "
LOG  all  --  anywhere   anywhere  LOG level warning prefix "FINAL_REJECT: "

Create a file named /etc/rsyslog.d/custom_iptables.conf (note extension is.conf) and add the following statements to it:

:msg,contains,"_DROP" /var/log/iptables.log
:msg,contains,"_REJECT" /var/log/iptables.log
& stop

restart rsyslog

sudo systemctl restart rsyslog   

Now the dropped and rejected packets will be logged to /var/log/iptables.log