tcpdump (-mini is likely sufficient) filtering on those same flags and capture to a file would be how I'd approach it. You can either do it on the router, or from the ssh session on another machine.
You might be able to modify your firewall rules to log the packets' header information. At least for me, tcpdump is easier and doesn't change the device under test's configuration that is significant (usually).
I've also added additional rules below that drop NEW TCP packets that are not SYNs:
I agree with @jeff, I'd check into where they are coming from.
I block this and only permit services that must ping me (e.g. HE.net's Tunnelbroker service). Many people I've mentioned this to in various forums always note that it doesn't "prevent" anything. I can identify 2 things:
Most scanners only using ICMP Request will not see your router
You cannot be DDoSed (i.e. your CPU running out of resources to route and NAT) with a ping of death
Also, I change all the default REJECT (sends ICMP-Unreachable) rules to DROP (silent). This prevents scanning for REJECTs sent from the router's firewall. It also prevents the creation of rejects, which can break traceroute in some configurations.