Forum Discussion

simonepatonico's avatar
simonepatonico
Brass Contributor
Feb 05, 2020

Issue collecting Windows Firewall Events

Hi community, I have a problem to collect Windows Firewall events from my Windows 10 VMs. I enabled the Windows Firewall connector in Sentinel, installed the MMA (64-bit version 10.20.18018.0) on t...
simonepatonico's avatar
simonepatonico
Brass Contributor
Feb 05, 2020

Rod_Trent 

I waited for more than 24 hours and still nothing.

 

Yes I configured the correct workspace, indeed the Security Events are coming in the Log Analytics Workspace.

  • simonepatonico's avatar
    simonepatonico
    Brass Contributor
    Apr 30, 2020

    WouterStinkens Yes, you need to reduce the size of the log file to few KB. I reduced it to 2 KB and it works!

    • saurabh09's avatar
      saurabh09
      Copper Contributor
      Jul 01, 2020

      simonepatonico could you pls tell me if reducing the logfile size to 2KB solved your problem permanently? I was facing the same issue as you and received logs from Windows Firewall as soon as I reduced the logfile size to 2KB but the next day again I couldnt see the Windows Firewall logs.

       

      Did you do try any other solution after reducing the logfile size?

      • simonepatonico's avatar
        simonepatonico
        Brass Contributor
        Jul 02, 2020

        saurabh09 yes I solved the problem reducing the logfile size to 2 KB. However, since windows firewall does not log all the data that I need, I did not use it for Analytics rules in Azure Sentinel. If your machines are VMs in Azure, I suggest you to integrate logs from Network Security Groups but it would require you to setup a custom table in Log Analytics Workspace.

        Regards

        Simone

Resources