as per NSX Firewall Logs documentation: logs are stored on each host in /var/log/dfwpktlogs.log
so you should be able to filter by 'dfwpktlogs'
there is also a blog post as a reference on how to use Logstash to filter DFW logs here https://everythingshouldbevirtual.com/vmware-nsx-firewall-logging-logstash/Bayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion, AWS-SAA
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://nz.linkedin.com/in/bayupw | twitter @bayupw
I would like to clarify that when ESXi host sends the logs to syslog server does the entire log file dfwpktlogs.log sent to the syslog server or only the logs inside the dfwpktlogs.log is sent to the Syslog server.
If only the logs are sent what key word i need to use in Syslog server to filter out only the NSX DFW logs so that it can be put into a separate folder
Each seperate log line inside the dfwpktlogs.log file is sent to the Syslog server, although same name not the file itself. Each of these lines contain dfwpktlogs word which indicates that it comes from the NSX dFW logged rules. So, as pointed previous dfwpktlogs keyword could be used to select dFW logs and put it to a seperate folder.
In addition Rule-Id, source and destination ports and Ip addresses could be used to filter the logs theae links could be helpful: