Enabling Logs with firewalld

Even if your distro comes pre-installed with firewalld, the logging is disabled by default. Sure, the service is up and running but won't capture any log to suggest who's trying to get inside of your network.

Strange but true.

So in this tutorial, I will walk you through two ways to enable logging in firewalld:

  • Using the configuration file
  • Using the firewall-cmd command (easy and quick)

How to enable logging in firewalld using the configuration file

To enable logging in firewalld, open the firewalld.conf file using the following command:

sudo nano /etc/firewalld/firewalld.conf 

Once you open the configuration file through the above command, find the following line:

LogDenied=off

Change it with the desired logging level:

LogDenied=<Logging_level>

You get 4 different logging levels:

  • all: Logs all dropped packets (unicast, broadcast, multicast).
  • unicast: Records packets of only one-to-one communication.
  • broadcast: Logs packets of only one-to-many communication.
  • multicast: Records packets of only one-to-many communications but only for a specific group.

For example, if you want to change your logging level to all, then you'll be using the following:

LogDenied=all

Once done, save changes and exit from the nano editor.

But to take effect from the changes you've made, you'd need to reload the firewall using the following command:

sudo firewall-cmd --reload

How to enable logging using the firewall-cmd command

This is the easiest way to enable logging as you don't have to deal with the configuration files. Execute one command and that's it.

📋
I've already mentioned logging levels and their use in a previous method so I'll skip mentioning them here.

To use the firewall-cmd command to enable logging, it needs to be executed in the following manner:

sudo firewall-cmd --set-log-denied=<Logging_level>

For example, if I want to set my logging level to broadcast, then I'll be using the following:

sudo firewall-cmd --set-log-denied=broadcast

Once done, you can check the current logging level using the following:

sudo firewall-cmd --get-log-denied

Wrapping Up...

In this quick tutorial, I went through how you can enable firewalld logging using two different methods.

I'm in favor of the first method as I love to set things manually in the configuration so I can be more aware of the tweaks I make to the system. But that's totally up to you.

I hope you will find this guide helpful.