Hello.
Maybe you could use another tool to perform this, such as "syslog-ng". With this tool, you can specify the incoming logs from a specific firewall IP:
source s_firewall_logs {
tcp(ip("FIREWALL_IP_ADDRESS") port(FIREWALL_PORT_NUMBER));
};
where FIREWALL_IP_ADDRESS is the IP address of your firewall and FIREWALL_PORT_NUMBER is the port number used for sending logs by your firewall.
Besides, you would need to specify where are the logs going to be stored:
destination d_firewall_logs {
file("/var/log/firewall/FIREWALL_IP_ADDRESS.log");
};
Notice that these logs are going to be duplicated: in archives.log and in the new file where you want to store these logs.
Hope it helps.