diff --git a/etc/firejail.config b/etc/firejail.config
index 9d37b4d8a..e8bf45751 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -57,6 +57,11 @@
 # to the specified period of time to allow sandbox setup to finish.
 # join-timeout 5
 
+# tracelog enables auditing blacklisted files and directories. A message
+# is sent to syslog in case the file or the directory is accessed.
+# Disabled by default.
+# tracelog no
+
 # Enable or disable sandbox name change, default enabled.
 # name-change yes
 
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index e2fab1265..62b8c4dc4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -62,6 +62,7 @@ int checkcfg(int val) {
 		cfg_val[CFG_CHROOT] = 0;
 		cfg_val[CFG_SECCOMP_LOG] = 0;
 		cfg_val[CFG_PRIVATE_LIB] = 0;
+		cfg_val[CFG_TRACELOG] = 0;
 
 		// open configuration file
 		const char *fname = SYSCONFDIR "/firejail.config";
@@ -111,6 +112,7 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_SECCOMP, "seccomp")
 			PARSE_YESNO(CFG_NETWORK, "network")
 			PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
+			PARSE_YESNO(CFG_TRACELOG, "tracelog")
 			PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
 			PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
 			PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 0a4dffb75..94f970eb8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -831,6 +831,7 @@ enum {
 	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
 	CFG_ALLOW_TRAY,
 	CFG_SECCOMP_LOG,
+	CFG_TRACELOG,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 29c25dfc5..c7da3c95c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -343,7 +343,8 @@ errout:
 
 
 static void exit_err_feature(const char *feature) {
-	fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
+	fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
+		feature, SYSCONFDIR "/firejail.config");
 	exit(1);
 }
 
@@ -1489,8 +1490,12 @@ int main(int argc, char **argv, char **envp) {
 				arg_tracefile = tmp;
 			}
 		}
-		else if (strcmp(argv[i], "--tracelog") == 0)
-			arg_tracelog = 1;
+		else if (strcmp(argv[i], "--tracelog") == 0) {
+			if (checkcfg(CFG_TRACELOG))
+				arg_tracelog = 1;
+			else
+				exit_err_feature("tracelog");
+		}
 		else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
 			check_unsigned(argv[i] + 13, "Error: invalid rlimit");
 			sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f406e2c53..641bb09b1 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "tracelog") == 0) {
-		arg_tracelog = 1;
+		if (checkcfg(CFG_TRACELOG))
+			arg_tracelog = 1;
+		// no warning, we have tracelog in over 400 profiles
 		return 0;
 	}
 	else if (strcmp(ptr, "private") == 0) {