This process assumes that VMK0 is used for the management traffic.  Please change the vmk number to whichever one is used for management traffic.

1. Verify the log is being logged on the ESXi host in in /var/run/log/dfwpktlogs.log. Tail the log in ESXi and generate traffic that will hit the rule.

   [user@ESXi_host:~] tail -f /var/run/log/dfwpktlogs.log | grep <rule number>
   2025-07-23T14:33:05.407Z xxxxxxxx INET match PASS ##### IN 78 UDP 192.168.0.10/24->192.168.0.11/24 DFW-Log-Label

2. Verify that syslog data is being sent to the remote syslog server via the Management vmkernel.
   • Verify the ESXi firewall is allowing outgoing connection on the protocol and port you are using for syslog. 
   • See Configuring syslog on ESXi
   • Every DFW log contains the text FIREWALL-PKTLOG, so it is easy to filter out all non-DFW messages by search for that text.
   • Capture packets to prove the data is being sent and verify log entry is being sent out.
     • Option 1: capture and filter live on the ESXI host

       [user@ESXi_host:~] pktcap-uw --vmk vmk0 --udpport 514 --ng -o - | tcpdump-uw -envvvr - | grep -i FIREWALL-PKTLOG | grep -i <rule-ID or DFW-Log-Label>

       • Note: The three "v"s in the tcpdump-uw are necessary for addition verbosity.
     • Option 2: capture and filter in Wireshark

       [user@ESXi_host:~] pktcap-uw --vmk vmk0 --udpport 514 --ng -o /tmp/dfwpktlog.pcap

       • Sample Wireshark Filters

         syslog contains "FIREWALL-PKTLOG" && syslog contains "match PASS ###"   where ### is the rule number
         frame contains "FIREWALL-PKTLOG

3. If the packets are seen in the pktcap-uw output but doesn't arrive at the syslog server, then it is being lost in-transit and that is outside of Broadcom control.