On a recent rolling (12/30), it appears firewall rules aren't being logged despite having log enable on them.
The fix was simply:
sudo systemctl restart rsyslog
and firewall rules immediately started being logged.
Not sure if this is an ordering problem or what.