First make sure you have logging set. Example in /etc/shorewall/policy

#SOURCE DEST  POLICY    LOG LIMIT:    CONNLIMIT:
#       LEVEL BURST   MASK
# fw-to-all
$FW all ACCEPT - -
# net-to-all
net all DROP info -
# all-to-all
all all DROP info -
#LAST LINE -- DO NOT REMOVE

Example from /etc/shorewall/rules

#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#
LOG:info all all
...<rest of rules>...

To log events created by Shorewall in a custom file called “firewall.log” in /var/log directory first edit the /etc/shorewall/shorewall.conf file. Edit this line:

LOGFILE=/var/log/firewall.log

You should also change LOGFORMAT to something like

LOGFORMAT="shorewall log: %s %s"

Actual logging is managed by rsyslog daemon. Create a new file called “firewall.conf” in /etc/rsyslog.d/ and add this:

:msg, contains, "Shorewall:" -/var/log/firewall.log
& ~

From new version of rsyslog (8.4.2, on Debian 9) use “stop” instead of tilda:

:msg, contains, "Shorewall:" -/var/log/firewall.log
& stop

Now restart rsyslog service and shorewall

Create the file /etc/logrotate.d/firewall and put this in it:

/var/log/firewall.log {
        rotate 4
        weekly
        missingok
        notifempty
        delaycompress
        compress
}

Don't forget to check if startup is enabled in /etc/default/shorewall[6]

• Debian 9,10

• Prevent programm from logging to daemon.log