Symptoms:
Starting with VMware NSX for vSphere 6.1, the location of the Firewall Rule logs has changed. The location now points to /var/log/dfwpktlogs.log file on the ESXi host when logging is enabled on the Firewall Rules.

Note: VMware is aware of the NSX for vSphere 6.1 Administration Guide still stating the location points to /var/log/vmkernel.log file on the ESXi host which is incorrect. This is in the process of getting this corrected.

VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.2.x

Firewall generates and stores three types of logs:

Rules Message Logs: Includes all access decisions such as permitted or denied traffic for each rule if logging was enabled for that rule. These are stored in /var/log/dfwpktlogs.log on each of the ESXi host.

Audit Logs: Includes administration logs and Distributed Firewall configuration changes. These are stored in vsm.log*

System Event Logs: Include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, etc. These are stored in vsm.log*

Note: vsm.log can be accessed running this command show manager log from NSX manager Command Line Interface (CLI) and performing grep for keyword vsm.log.

For more information, see Collecting diagnostic information for VMware NSX for vSphere 6.x (2074678).