Forum Discussion
Issue collecting Windows Firewall Events
Hi community,
I have a problem to collect Windows Firewall events from my Windows 10 VMs.
I enabled the Windows Firewall connector in Sentinel, installed the MMA (64-bit version 10.20.18018.0) on the workstation and enabled the Windows Firewall logs (logs are pushed to the default log file C:\Windows\System32\LogFiles\Firewall\pfirewall.log).
Moreover, I can see events in the event viewer (Microsoft-Windows-Windows Firewall With Advanced Security).
The Windows Event Logs are added in the Log Analytics as you can see from the following picture.
However, I cannot see any record from the Windows Firewall table. I have already tried to uninstall and re-install the MMA and reboot the workstation. I think the MMA is working fine because I can retrieve Security Events from my workstations. Also, following the steps proposed by this post https://github.com/Azure/Azure-Sentinel/issues/164 did not help.
Do you have a solution for collecting Windows Firewall events?
Thank you in advance
6 Replies
- Rod_Trent
Microsoft
simonepatonico A couple quick questions...
How long did you wait for the data to show up?
Did you verify that the Log Analytics agent is configured and assigned to the correct Log Analytics workspace?
I waited for more than 24 hours and still nothing.
Yes I configured the correct workspace, indeed the Security Events are coming in the Log Analytics Workspace.
Did you eventually find a solution?
