I have a rich firewalld rule with a "log" option:

# firewall-cmd --list-rich-rules

< ... >

rule family="ipv4" forward-port port="[port]" protocol="tcp" to-port="[port]" to-
addr="[ip addr]" log level="info" limit value="[log frequency]"

Actual numbers changed to protect the guilty.

I cannot find anything being logged, anywhere. According to 
firewalld.richlanguage, this should get logged to syslog. The default 
rsyslog.conf specifies all info-level messages going to /var/log/messages:

.info;mail.none;authpriv.none;cron.none                /var/log/messages

Port forwarding is working, but even when I hit the port I see nothing get 
logged.

Just on the lark, I also tried 'journalctl -f", and nothing shows up there, 
either.

firewalld is using the netfilters backend.

After some head-banging, and copious searching:

# nft list table inet firewalld

I found this in the output:

        chain nat_PRE_FedoraServer_allow {
                meta nfproto ipv4 tcp dport [port] dnat ip to [host:port]  
        }

I see nothing here that suggests that anything is going to get logged.

So, I'm just guessing that firewall-cmd either does not implement the log 
option, in the net-filter back-end, or the net-filter back-end simply does 
not implement any kind of logging (which seems unlikely).

Anyone know anything more on this?