Hello - how do i get the C:\Windows\System32\LogFiles\Firewall\pfirewall.log into my Log Analytics, and which Table will it be ingested in? I see a WindowsFirewall table, but that is empty. WindowsFirewall | limit 50 Over in LA advanced settings i see the option to add a custom log, which i did, but still no data. Thoughts?

AndrewX Did you get a solution? the Custom log would be <the name you specified>_CL Or you can use the MMA on the computer with the Firewall and set to collect that EventLog in Log Analytics https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

Hi CliveWatson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics. I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.

AndrewX I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\ if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?

Tested enabling logging in the WF for all 3 profiles and still not seeing any data in Log Analytics. I also tried setting up a custom log, but that creates a new Schema\Active\Custom area, which is different than what Azure Sentinel did by adding the Windows Firewall. I'll wait a few hours, but in the setup it only needs the MMA installed, nothing about needing to enable FW logging or anything like that.

Yes, you now simply need to customise the Windows firewall log logging properties and enable successful and dropped connections.

Getting Windows Firewall Log into LA. | Microsoft Community Hub

11 Replies

CliveWatson
Former Employee
Aug 05, 2019
AndrewX

Did you get a solution? the Custom log would be <the name you specified>_CL

Or you can use the MMA on the computer with the Firewall and set to collect that EventLog in Log Analytics https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
- AndrewX
  Iron Contributor
  Aug 05, 2019
  Hi CliveWatson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics. I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.
  - JDP01
    Microsoft
    Aug 06, 2019
    AndrewX
    
    I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\ if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?

Forum Discussion

Getting Windows Firewall Log into LA.

11 Replies

Resources