Azure sentinel unable to capture Windows firewall logs on domain controller

%3CLINGO-SUB%20id%3D%22lingo-sub-2858398%22%20slang%3D%22en-US%22%3EAzure%20sentinel%20unable%20to%20capture%20Windows%20firewall%20logs%20on%20domain%20controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2858398%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%2010%20domain%20controllers%20enabled%20with%20Windows%20Firewall%20for%20incoming%20connections.%20Incoming%20connection%20doesn't%20have%20a%20firewall%20rule%20will%20be%20blocked.%20To%20validate%20we%20have%20enabled%20dropped%20windows%20firewall%20logs.%20Log%20collection%20on%20sentinel%20not%20happening%20after%20enabling%20only%20dropped%20firewall%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20investigated%20and%20found%20the%20management%20pack%20named%20%E2%80%9C%3CEM%3EMicrosoft.IntelligencePacks.FirewallLog.701%3C%2FEM%3E%E2%80%9D%20is%20responsible%20to%20collect%20data.%20The%20configuration%20says%20it%20capture%20data%20from%20the%20file%20with%20%E2%80%9C*%3CEM%3E.log.old%20%3C%2FEM%3E%E2%80%9D%20extension.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20domain%20controller%20logging%20works%20only%20on%20the%20%E2%80%9C%3CEM%3Epfirewall.log%3C%2FEM%3E%E2%80%9D.%20File%20with%20%E2%80%9C.%3CEM%3Elog.old%3C%2FEM%3E%E2%80%9D%20generates%20only%20with%20the%20%E2%80%9Cpfirewall.log%22%20log%20file%20got%20filled.%20Since%20we%20modified%20dropped%20log%20capture%20the%20file%20size%20is%20not%20getting%20increase%2C%20so%20the%20new%20file%20with%20%E2%80%9C*%3CEM%3E.log.old%20%3C%2FEM%3E%E2%80%9D%20extension%20not%20getting%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20log%20file%20size%20could%20be%20reduced%20but%20the%20log%20data%20varies%20greatly%20between%20DCs.%20If%20I%20set%20the%20file%20size%20too%20small%2C%20we%20will%20lose%20the%20log%20data%20on%20the%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20need%20to%20find%20a%20better%20solution.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I have 10 domain controllers enabled with Windows Firewall for incoming connections. Incoming connection doesn't have a firewall rule will be blocked. To validate we have enabled dropped windows firewall logs. Log collection on sentinel not happening after enabling only dropped firewall logs.

 

I investigated and found the management pack named “Microsoft.IntelligencePacks.FirewallLog.701” is responsible to collect data. The configuration says it capture data from the file with “*.log.old ” extension.

 

On the domain controller logging works only on the “pfirewall.log”. File with “.log.old” generates only with the “pfirewall.log" log file got filled. Since we modified dropped log capture the file size is not getting increase, so the new file with “*.log.old ” extension not getting created.

 

The log file size could be reduced but the log data varies greatly between DCs. If I set the file size too small, we will lose the log data on the servers.

 

We need to find a better solution.

0 Replies