I use a Tumbleweed system as a honeypot. Currently I have my own iptables file to enter a marking text in de log file. However iptables is declared obsolete, so I am looking to use firewalld for this purpose. So, I want to log unwanted packets to specific ports in a separate log file using rsyslog. In a config file in /etc/rsyslog.d/ I have:
if $msg contains " MARKTEXT " then /var/log/marked.log
In zone public I have interface eth0, and also a rich rule like:
rule port port="26" protocol="tcp" log prefix="MARKTEXT " reject
When I make a connection to port 26, I do see packets coming in using tcpdump, however there is no message coming in the above log file or in /var/log/firewall.
The service rsyslog is active, I do see messages coming in /var/log/mail.
What am I doing wrong?