Lately I'm working on a project for work that's involving standing up Syslog servers for various sources such as Cisco FTD's, WLC's and other Linux servers. We have standardized on FirewallD and Ubuntu (cue the lols) I know, I know.. an uncommon pairing. But it works fine and while I'll admit not quite as easy to manage as UFW it's pretty solid.
Anyway, one problem I've had with FirewallD is how to handle it's own logging functions. By default it's conf file only supports the enabling or disabling of logging denied packets. Everything else seems to be split between kern.log and syslog however it seems the facility on all of them is 'kernel'. I want all of it to be sent to a specific log file, in this case /var/log/firewalld.log.
Today I finally figured out how:
if ($programname == 'kernel') and ($msg contains "FwD ") then { Action (type="omfile" file="/var/log/firewalld") stop }
Message contains "FwD" is included because everyone one of my rich rules in FirewallD has a 'log prefix' of "FwD" then usually I tag on a bit extra like "SSH In", or "SNMP In" so my logs are easier to read.