Forum Discussion
Getting Windows Firewall Log into LA.
Hi CliveWatson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics. I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.
Microsoft
I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\ if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?
- Yes, you now simply need to customise the Windows firewall log logging properties and enable successful and dropped connections.
- JDP01
NOT WORKING =/
Schema\Active\WindowsFirewall
WindowsFirewall| limit 50Custom log IS WORKING 😃Schema\Active\Custom Logspfirewall_CL| limit 50- Weird, i definitely have data in the WindowsFirewall table in Log Analytics, and i had to do two things;
1. Enable connection logging in the Windows Firewall
2. Enable the Windows Firewall connector in Sentinel
- So its all working now?
- Yes it is.
- JDP01
Tested enabling logging in the WF for all 3 profiles and still not seeing any data in Log Analytics. I also tried setting up a custom log, but that creates a new Schema\Active\Custom area, which is different than what Azure Sentinel did by adding the Windows Firewall. I'll wait a few hours, but in the setup it only needs the MMA installed, nothing about needing to enable FW logging or anything like that.
