Firewalld - Logging denied packets enabled - not logging
The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:
The following worked with firewalld
+ rsyslogd
Edit /etc/sysconfig/firewalld
and update the value for LogDenied
to all
(or as required)
LogDenied=all
restart firewalld
sudo systemctl restart firewalld
Alternatively, using the command line, one can execute the following command:
sudo firewall-cmd --set-log-denied all
This typically adds logging rules just before reject/drop rules in the firewall, something like:
LOG all -- anywhere anywhere LOG level warning prefix "IN_drop_DROP: "
LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: "
Create a file named /etc/rsyslog.d/custom_iptables.conf
and add the following statements to it:
:msg,contains,"_DROP" /var/log/iptables.log
& stop
:msg,contains,"_REJECT" /var/log/iptables.log
& stop
restart rsyslog
sudo systemctl restart rsyslog
Now the dropped and rejected packets will be logged to /var/log/iptables.log
Awesome job, this helped me go down the right path, I appreciate the post.
The only thing I noticed is that I believe that the location for LogDenied=all
should be /etc/firewalld/firewalld.conf
since /etc/sysconfig/firewalld
is for startup command line options. Additionally the file for rsyslog might be better named with a .conf, sometimes default include statements might not look for a .log file.
Really good job VanagaS!
ref: https://firewalld.org/documentation/man-pages/firewalld.conf.html