I was recently trying to diagnose a production connectivity issue on a CentOS 7 box and found it a bit non-obvious how to get the firewall to log connection attempts. It is in fact documented in section 220.127.116.11.3 (how about that for a document subsection?!) but for ease of reference I'm putting it here.
Basically, add a rich rule that includes log level details. For example, to open port 10000 for IP address 198.51.100.0, use the following:
$ sudo firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="198.51.100.0/32" port protocol="tcp" port="10000" log prefix="test-firewalld-log" level="info" accept"
Connection attempts from that IP address will then be logged in /var/log/messages:
$ sudo tail -f /var/log/messages |grep test-firewalld-log