Forum Discussion
Getting Windows Firewall Log into LA.
Did you get a solution? the Custom log would be <the name you specified>_CL
Or you can use the MMA on the computer with the Firewall and set to collect that EventLog in Log Analytics https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
Hi CliveWatson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics. I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.
JDP01Microsoft
I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\ if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?
- Yes, you now simply need to customise the Windows firewall log logging properties and enable successful and dropped connections.
- JDP01
Tested enabling logging in the WF for all 3 profiles and still not seeing any data in Log Analytics. I also tried setting up a custom log, but that creates a new Schema\Active\Custom area, which is different than what Azure Sentinel did by adding the Windows Firewall. I'll wait a few hours, but in the setup it only needs the MMA installed, nothing about needing to enable FW logging or anything like that.