diff --git a/firewall.go b/firewall.go
index f3d0ced..e6e6bbf 100644
--- a/firewall.go
+++ b/firewall.go
@@ -152,6 +152,13 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net
 		return errors.Wrap(err, "failed to add rule")
 	}
 
+	// Log blocked traffic - UDP packets
+	err = ipt.Append(filterTable, chain, direction, netInterface, protocol, "udp", "-j", "NFLOG", "--nflog-group", "100")
+
+	if err != nil {
+		return errors.Wrap(err, "failed to add UDP NFLOG rule")
+	}
+
 	// Block all other traffic
 	err = ipt.Append(filterTable, chain, direction, netInterface, protocol, allProtocols, target, reject)
 
diff --git a/netmon.go b/netmon.go
index 7f71a47..ce482fd 100644
--- a/netmon.go
+++ b/netmon.go
@@ -71,6 +71,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 	packet := gopacket.NewPacket(data, layers.LayerTypeIPv4, gopacket.Default)
 	port := ""
 	isSYN := false
+	isUDP := false
 	// Get the TCP layer from this packet
 	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
 		// Get actual TCP data from this layer
@@ -78,6 +79,11 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 		port = tcp.DstPort.String()
 		isSYN = tcp.SYN
 
+	} else if udpLayer := packet.Layer(layers.LayerTypeUDP); udpLayer != nil {
+		// Get actual UDP data from this layer
+		udp, _ := udpLayer.(*layers.UDP)
+		port = udp.DstPort.String()
+		isUDP = true
 	}
 
 	// Get the IP layer from this packet
@@ -90,7 +96,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 		if !found {
 			ipAddresses[ipv4Address] = 1
 
-			if isSYN {
+			if isSYN || isUDP {
 				if netMonitor.Status == "Dropped" {
 
 					netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo,
diff --git a/procmon_linux.go b/procmon_linux.go
index 297782b..9f87550 100644
--- a/procmon_linux.go
+++ b/procmon_linux.go
@@ -107,7 +107,19 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) {
 		errc <- errors.Wrap(err, "failed to add audit rule for syscall connect")
 	}
 
-	WriteLog("Net monitor added")
+	WriteLog("Net monitor added for TCP (connect)")
+
+	// syscall sendto (for UDP)
+	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendto -S sendmsg -k %s", netMonitorTag))
+
+	actualBytes, _ = rule.Build(r)
+
+	if err = client.AddRule(actualBytes); err != nil {
+		WriteLog(fmt.Sprintf("failed to add audit rule for sendto %v", err))
+		errc <- errors.Wrap(err, "failed to add audit rule for syscall sendto")
+	}
+
+	WriteLog("Net monitor added for UDP (sendto & sendmsg)")
 
 	// syscall process start
 	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S execve -k %s", processMonitorTag))