Jul 29 2019
- last edited on
Apr 07 2022
Hello - how do i get the C:\Windows\System32\LogFiles\Firewall\pfirewall.log into my Log Analytics, and which Table will it be ingested in?
I see a WindowsFirewall table, but that is empty.
WindowsFirewall | limit 50
Over in LA advanced settings i see the option to add a custom log, which i did, but still no data.
Aug 05 2019 02:51 AM
Did you get a solution? the Custom log would be <the name you specified>_CL
Or you can use the MMA on the computer with the Firewall and set to collect that EventLog in Log Analytics https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
Aug 05 2019 05:00 AM
Hi @CliveWatson - I was able to receive firewall connection logging by enabling the connector in Sentinel, this lit up the FirewallLog table in Log Analytics. I am pretty sure the Windows Firewall Log you selected that is visible in event viewer is only for firewall administrative, changes, audit etc, but it does not list client connectivity.
Aug 06 2019 12:17 AM
I just added in Sentinel then going into Log Analytics I can see Schema\Active\Windows Firewall is now there too. No data is there, so I'm assuming the Microsoft Monitoring Agent will automatically pick up the Windows Firewall Log %systemroot%\system32\LogFiles\Firewall\ if its enabled? I will most likely enable this in a WF Logging on a VM and see if the data starts to show up. Or is there more to configure so the MMA can find this log?
Aug 06 2019 12:53 AM
Tested enabling logging in the WF for all 3 profiles and still not seeing any data in Log Analytics. I also tried setting up a custom log, but that creates a new Schema\Active\Custom area, which is different than what Azure Sentinel did by adding the Windows Firewall. I'll wait a few hours, but in the setup it only needs the MMA installed, nothing about needing to enable FW logging or anything like that.
Aug 06 2019 12:55 AM
Aug 06 2019 04:23 AM
Aug 06 2019 07:02 PM
Weird, i definitely have data in the WindowsFirewall table in Log Analytics, and i had to do two things;
1. Enable connection logging in the Windows Firewall
2. Enable the Windows Firewall connector in Sentinel
So we have the same setup. The reason I did a custom log so I know that the WF Log is being captured. I'm going to remove the custom log and see disable/re-enable both #1 & #2 give the VM a reboot and see if it starts working. If not well being a preview product at the moment I might check with support.