07-29-2019 08:03 PM
07-29-2019 08:03 PM
Hello - how do i get the C:\Windows\System32\LogFiles\Firewall\pfirewall.log into my Log Analytics, and which Table will it be ingested in?
I see a WindowsFirewall table, but that is empty.
WindowsFirewall | limit 50
Over in LA advanced settings i see the option to add a custom log, which i did, but still no data.
08-05-2019 02:51 AM
Did you get a solution? the Custom log would be <the name you specified>_CL
Or you can use the MMA on the computer with the Firewall and set to collect that EventLog in Log Analytics https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
08-05-2019 05:00 AM
Hi @Clive Watson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics. I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.
08-06-2019 12:17 AM
I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\ if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?
08-06-2019 12:53 AM
Tested enabling logging in the WF for all 3 profiles and still not seeing any data in Log Analytics. I also tried setting up a custom log, but that creates a new Schema\Active\Custom area, which is different than what Azure Sentinel did by adding the Windows Firewall. I'll wait a few hours, but in the setup it only needs the MMA installed, nothing about needing to enable FW logging or anything like that.
08-06-2019 12:55 AM
08-06-2019 04:23 AM
08-06-2019 07:02 PM
@Andrew Huddleston wrote:
Weird, i definitely have data in the WindowsFirewall table in Log Analytics, and i had to do two things;
1. Enable connection logging in the Windows Firewall
2. Enable the Windows Firewall connector in Sentinel
So we have the same setup. The reason I did a custom log so I know that the WF Log is being captured. I'm going to remove the custom log and see disable/re-enable both #1 & #2 give the VM a reboot and see if it starts working. If not well being a preview product at the moment I might check with support.