Getting Windows Firewall Log into LA.

%3CLINGO-SUB%20id%3D%22lingo-sub-778394%22%20slang%3D%22en-US%22%3EGetting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778394%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20-%20how%20do%20i%20get%20the%26nbsp%3BC%3A%5CWindows%5CSystem32%5CLogFiles%5CFirewall%5Cpfirewall.log%20into%20my%20Log%20Analytics%2C%20and%20which%20Table%20will%20it%20be%20ingested%20in%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20a%20WindowsFirewall%20table%2C%20but%20that%20is%20empty.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EWindowsFirewall%0A%7C%20limit%2050%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOver%20in%20LA%20advanced%20settings%20i%20see%20the%20option%20to%20add%20a%20custom%20log%2C%20which%20i%20did%2C%20but%20still%20no%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-778394%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787882%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787882%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDid%20you%20get%20a%20solution%3F%26nbsp%3B%20%26nbsp%3Bthe%20Custom%20log%20would%20be%20%3CTHE%20name%3D%22%22%20you%3D%22%22%20specified%3D%22%22%3E_CL%26nbsp%3B%20%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20you%20can%20use%20the%20MMA%20on%20the%20computer%20with%20the%20Firewall%20and%20set%20to%20collect%20that%20EventLog%20in%20Log%20Analytics%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%3C%2FA%3E%3C%2FTHE%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125587i5F313E92114C5696%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-08-05%20104848.jpg%22%20title%3D%22Annotation%202019-08-05%20104848.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787996%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787996%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B-%20I%20was%20able%20to%20receive%20firewall%20connection%20logging%20by%20enabling%20the%20connector%20in%20Sentinel%2C%20this%20lit%20up%20the%20FirewallLog%20table%20in%20Log%20Analytics.%26nbsp%3B%20I%20am%20pretty%20sure%20the%20Windows%20Firewall%20Log%20you%20selected%20that%20is%20visible%20in%20event%20viewer%20is%20only%20for%20firewall%20administrative%2C%20changes%2C%20audit%20etc%2C%20but%20it%20does%20not%20list%20client%20connectivity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789520%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20just%20added%20in%20Sentinel%20then%20going%20into%20Log%20Analytics%20I%20can%20see%20Schema%5CActive%5CWindows%20Firewall%20is%20now%20there%20too.%20No%20data%20is%20there%2C%20so%20I'm%20assuming%20the%20Microsoft%20Monitoring%20Agent%20will%20automatically%20pick%20up%20the%20Windows%20Firewall%20Log%20%25systemroot%25%5Csystem32%5CLogFiles%5CFirewall%5C%26nbsp%3B%20if%20its%20enabled%3F%20I%20will%20most%20likely%20enable%20this%20in%20a%20WF%20Logging%20on%20a%20VM%20and%20see%20if%20the%20data%20starts%20to%20show%20up.%20Or%20is%20there%20more%20to%20configure%20so%20the%20MMA%20can%20find%20this%20log%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789563%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789563%22%20slang%3D%22en-US%22%3E%3CP%3ETested%20enabling%20logging%20in%20the%20WF%20for%20all%203%20profiles%20and%20still%20not%20seeing%20any%20data%20in%20Log%20Analytics.%20I%20also%20tried%20setting%20up%20a%20custom%20log%2C%20but%20that%20creates%20a%20new%20Schema%5CActive%5CCustom%20area%2C%20which%20is%20different%20than%20what%20Azure%20Sentinel%20did%20by%20adding%20the%20Windows%20Firewall.%20I'll%20wait%20a%20few%20hours%2C%20but%20in%20the%20setup%20it%20only%20needs%20the%20MMA%20installed%2C%20nothing%20about%20needing%20to%20enable%20FW%20logging%20or%20anything%20like%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789565%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789565%22%20slang%3D%22en-US%22%3EYes%2C%20you%20now%20simply%20need%20to%20customise%20the%20Windows%20firewall%20log%20logging%20properties%20and%20enable%20successful%20and%20dropped%20connections.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789593%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789593%22%20slang%3D%22en-US%22%3ESo%20its%20all%20working%20now%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789717%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENOT%20WORKING%20%3D%2F%3C%2FP%3E%0A%3CP%3ESchema%5CActive%5CWindowsFirewall%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EWindowsFirewall%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Elimit%3C%2FSPAN%3E%3CSPAN%3E50%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ECustom%20log%20IS%20WORKING%20%3D)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ESchema%5CActive%5CCustom%20Logs%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3Epfirewall_CL%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Elimit%3C%2FSPAN%3E%3CSPAN%3E50%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789880%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789880%22%20slang%3D%22en-US%22%3EWeird%2C%20i%20definitely%20have%20data%20in%20the%20WindowsFirewall%20table%20in%20Log%20Analytics%2C%20and%20i%20had%20to%20do%20two%20things%3B%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Enable%20connection%20logging%20in%20the%20Windows%20Firewall%3CBR%20%2F%3E2.%20Enable%20the%20Windows%20Firewall%20connector%20in%20Sentinel%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789881%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789881%22%20slang%3D%22en-US%22%3EYes%20it%20is.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792269%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792269%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3EWeird%2C%20i%20definitely%20have%20data%20in%20the%20WindowsFirewall%20table%20in%20Log%20Analytics%2C%20and%20i%20had%20to%20do%20two%20things%3B%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Enable%20connection%20logging%20in%20the%20Windows%20Firewall2.%20Enable%20the%20Windows%20Firewall%20connector%20in%20Sentinel%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ESo%20we%20have%20the%20same%20setup.%20The%20reason%20I%20did%20a%20custom%20log%20so%20I%20know%20that%20the%20WF%20Log%20is%20being%20captured.%20I'm%20going%20to%20remove%20the%20custom%20log%20and%20see%20disable%2Fre-enable%20both%20%231%20%26amp%3B%20%232%20give%20the%20VM%20a%20reboot%20and%20see%20if%20it%20starts%20working.%20If%20not%20well%20being%20a%20preview%20product%20at%20the%20moment%20I%20might%20check%20with%20support.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792374%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Firewall%20Log%20into%20LA.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792374%22%20slang%3D%22en-US%22%3E%3CP%3ECame%20across%20this%20-%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F164%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F164%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hello - how do i get the C:\Windows\System32\LogFiles\Firewall\pfirewall.log into my Log Analytics, and which Table will it be ingested in?

 

I see a WindowsFirewall table, but that is empty.

 

WindowsFirewall
| limit 50

 

Over in LA advanced settings i see the option to add a custom log, which i did, but still no data.

 

Thoughts? 

11 Replies
Highlighted

@Andrew Huddleston 

 

Did you get a solution?   the Custom log would be <the name you specified>_CL   

Or you can use the MMA on the computer with the Firewall and set to collect that EventLog in Log Analytics  https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

Annotation 2019-08-05 104848.jpg

Highlighted

Hi @Clive Watson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics.  I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.

Highlighted

@Andrew Huddleston 

 

I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\  if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?

Highlighted

Tested enabling logging in the WF for all 3 profiles and still not seeing any data in Log Analytics. I also tried setting up a custom log, but that creates a new Schema\Active\Custom area, which is different than what Azure Sentinel did by adding the Windows Firewall. I'll wait a few hours, but in the setup it only needs the MMA installed, nothing about needing to enable FW logging or anything like that.

Highlighted
Yes, you now simply need to customise the Windows firewall log logging properties and enable successful and dropped connections.
Highlighted
So its all working now?
Highlighted

@Andrew Huddleston 

 

NOT WORKING =/

Schema\Active\WindowsFirewall

WindowsFirewall
| limit 50
 
Custom log IS WORKING =)
Schema\Active\Custom Logs
pfirewall_CL
| limit 50
Highlighted
Weird, i definitely have data in the WindowsFirewall table in Log Analytics, and i had to do two things;

1. Enable connection logging in the Windows Firewall
2. Enable the Windows Firewall connector in Sentinel
Highlighted
Yes it is.
Highlighted

 


@Andrew Huddleston wrote:
Weird, i definitely have data in the WindowsFirewall table in Log Analytics, and i had to do two things;

1. Enable connection logging in the Windows Firewall
2. Enable the Windows Firewall connector in Sentinel

So we have the same setup. The reason I did a custom log so I know that the WF Log is being captured. I'm going to remove the custom log and see disable/re-enable both #1 & #2 give the VM a reboot and see if it starts working. If not well being a preview product at the moment I might check with support.

Highlighted