Firewalld - Logging denied packets enabled - not logging

The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:

The following worked with firewalld + rsyslogd

Edit /etc/sysconfig/firewalld and update the value for LogDenied to all (or as required)

LogDenied=all

restart firewalld

sudo systemctl restart firewalld

Alternatively, using the command line, one can execute the following command:

sudo firewall-cmd --set-log-denied all

This typically adds logging rules just before reject/drop rules in the firewall, something like:

LOG  all  --  anywhere   anywhere  LOG level warning prefix "IN_drop_DROP: "
LOG  all  --  anywhere   anywhere  LOG level warning prefix "FINAL_REJECT: "

Create a file named /etc/rsyslog.d/custom_iptables.conf and add the following statements to it:

:msg,contains,"_DROP" /var/log/iptables.log
& stop
:msg,contains,"_REJECT" /var/log/iptables.log
& stop

restart rsyslog

sudo systemctl restart rsyslog   

Now the dropped and rejected packets will be logged to /var/log/iptables.log


Awesome job, this helped me go down the right path, I appreciate the post.

The only thing I noticed is that I believe that the location for LogDenied=all should be /etc/firewalld/firewalld.conf since /etc/sysconfig/firewalld is for startup command line options. Additionally the file for rsyslog might be better named with a .conf, sometimes default include statements might not look for a .log file.

Really good job VanagaS!

ref: https://firewalld.org/documentation/man-pages/firewalld.conf.html