Method 1: Using –set-log-denied
You can use the firewalld option “–set-log-denied” to create log entries whenever packets are dropped.
1. First of all, check if the option is already enabled at firewalld.
# firewall-cmd --get-log-denied off
As you can see the option is currently disabled.
2. To enable the logging.
# firewall-cmd --set-log-denied=[value]
Here, the value can be any of the below:
- all
- unicast
- broadcast
- multicast
- off
3. You can verify if the logging is enabled using the same command again.
# firewall-cmd --get-log-denied all
Method 2: Using /etc/firewalld/firewalld.conf
1. In the firewalld configuration file, configure firewalld to log dropped packets.
# vim /etc/firewalld/firewalld.conf
# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=all
the value may be one of: all, unicast, broadcast, multicast, or off (in our case we have set it as all).
Change location of logfile for logging dropped packets using firewalld
Now, by default the dropped packets are logged into the file /var/log/messages. In order to to change the logging location, we need to configure rsyslog to capture the dropped packets messages.
1. Create /etc/rsyslog.d/firewalld.conf with the following:
# log DROP and REJECT firewalld messages to /var/log/firewalld.log :msg,contains,"_DROP" /var/log/firewalld.log & stop :msg,contains,"_REJECT" /var/log/firewalld.log & stop
The file /var/log/firewalld.log can be replaced by any of the file of your choice.
2. Restart the rsyslog service for the changes to take effect.
# systemctl restart rsyslog.service