Forum Discussion
Windows Firewall logs are enabled, but they do not show up in Sentinel
Hello,
We have MMA agent installed on 26 windows server, but we are not getting into Sentinel.
I can not see any table named "WindowsFirewall" either.
Do the tables appear when data starts pouring in, or it is now depreciated in Sentinel?
- CliveWatsonMicrosoft
Have you told the MMA to start collecting data, the 2 ways of doing that are:
1. Look under Advanced settings, in your screen shot and add the Event Logs items you need
2. Enable a Azure Sentinel connector
Do you have any data from the Agents, if you do it should be in the Heartbeat table:
Heartbeat | summarize count(), arg_max(TimeGenerated,*) by Computer
- SalmanKhanCopper Contributor
CliveWatson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
If you see below, this is how the front page of Sentinel looks like:
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
- CliveWatsonMicrosoft
Logs configured as you have done, go into the Events Table
Event | summarize count() by EventLog
,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall