If I filter logging on interface=WAN, dir=in, action=pass I want to see which ports on which IPs on my LAN are tried.
But what I see is the translated destination (so after NAT). Suppose I let port 80 and 8080 on the WAN NAT forward to an internal server, but simple on some single port (say 8081), I see where it ends up, but I cannot see what the outside world was actually trying (80 or 8080).
I would expect that the WAN-in logging is src and dest before NAT and the LAN-out logging after NAT.