The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:
The following worked with firewalld+rsyslogd
Edit /etc/sysconfig/firewalld and update the value for LogDenied to all (or as required)
LogDenied=allrestart firewalld
sudo systemctl restart firewalldAlternatively, using the command line, one can execute the following command:
sudo firewall-cmd --set-log-denied allThis typically adds logging rules just before reject/drop rules in the firewall, something like:
LOG all -- anywhere anywhere LOG level warning prefix "IN_drop_DROP: "LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: "Create a file named /etc/rsyslog.d/custom_iptables.conf and add the following statements to it:
:msg,contains,"_DROP" /var/log/iptables.log& stop:msg,contains,"_REJECT" /var/log/iptables.log& stoprestart rsyslog
sudo systemctl restart rsyslog Now the dropped and rejected packets will be logged to /var/log/iptables.log