Issue collecting Windows Firewall Events

%3CLINGO-SUB%20id%3D%22lingo-sub-1152231%22%20slang%3D%22en-US%22%3EIssue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152231%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20community%2C%3C%2FP%3E%3CP%3EI%20have%20a%20problem%20to%20collect%20Windows%20Firewall%20events%20from%20my%20Windows%2010%20VMs.%3C%2FP%3E%3CP%3EI%20enabled%20the%20Windows%20Firewall%20connector%20in%20Sentinel%2C%20installed%20the%20MMA%20(64-bit%20version%2010.20.18018.0)%20on%20the%20workstation%20and%20enabled%20the%20Windows%20Firewall%20logs%20(logs%20are%20pushed%20to%20the%20default%20log%20file%20%3CFONT%3EC%3A%5CWindows%5CSystem32%5CLogFiles%5CFirewall%3C%2FFONT%3E%5Cpfirewall.log).%3C%2FP%3E%3CP%3EMoreover%2C%20I%20can%20see%20events%20in%20the%20event%20viewer%20(Microsoft-Windows-Windows%20Firewall%20With%20Advanced%20Security).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169102i1432C0BB78D2D14F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture1.PNG%22%20alt%3D%22Capture1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Windows%20Event%20Logs%20are%20added%20in%20the%20Log%20Analytics%20as%20you%20can%20see%20from%20the%20following%20picture.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture2.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169104iFBEB6043CC1F3914%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture2.PNG%22%20alt%3D%22Capture2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20cannot%20see%20any%20record%20from%20the%20Windows%20Firewall%20table.%20I%20have%20already%20tried%20to%20uninstall%20and%20re-install%20the%20MMA%20and%20reboot%20the%20workstation.%20I%20think%20the%20MMA%20is%20working%20fine%20because%20I%20can%20retrieve%20Security%20Events%20from%20my%20workstations.%20Also%2C%20following%20the%20steps%20proposed%20by%20this%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F164%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F164%3C%2FA%3E%20did%20not%20help.%3C%2FP%3E%3CP%3EDo%20you%20have%20a%20solution%20for%20collecting%20Windows%20Firewall%20events%3F%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1152490%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152490%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545761%22%20target%3D%22_blank%22%3E%40simonepatonico%3C%2FA%3E%26nbsp%3BA%20couple%20quick%20questions...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20long%20did%20you%20wait%20for%20the%20data%20to%20show%20up%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDid%20you%20verify%20that%20the%20Log%20Analytics%20agent%20is%20configured%20and%20assigned%20to%20the%20correct%20Log%20Analytics%20workspace%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1152522%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20waited%20for%20more%20than%2024%20hours%20and%20still%20nothing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20I%20configured%20the%20correct%20workspace%2C%20indeed%20the%20Security%20Events%20are%20coming%20in%20the%20Log%20Analytics%20Workspace.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1348994%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1348994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545761%22%20target%3D%22_blank%22%3E%40simonepatonico%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20eventually%20find%20a%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1349066%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1349066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F448099%22%20target%3D%22_blank%22%3E%40WouterStinkens%3C%2FA%3E%26nbsp%3BYes%2C%20you%20need%20to%20reduce%20the%20size%20of%20the%20log%20file%20to%20few%20KB.%20I%20reduced%20it%20to%202%20KB%20and%20it%20works!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1494453%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494453%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545761%22%20target%3D%22_blank%22%3E%40simonepatonico%3C%2FA%3E%26nbsp%3B%20could%20you%20please%20tell%20me%20which%20table%20you%20used%20to%20see%20the%20firewall%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502010%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502010%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545761%22%20target%3D%22_blank%22%3E%40simonepatonico%3C%2FA%3E%26nbsp%3Bcould%20you%20pls%20tell%20me%20if%20reducing%20the%20logfile%20size%20to%202KB%20solved%20your%20problem%20permanently%3F%20I%20was%20facing%20the%20same%20issue%20as%20you%20and%20received%20logs%20from%20Windows%20Firewall%20as%20soon%20as%20I%20reduced%20the%20logfile%20size%20to%202KB%20but%20the%20next%20day%20again%20I%20couldnt%20see%20the%20Windows%20Firewall%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20do%20try%20any%20other%20solution%20after%20reducing%20the%20logfile%20size%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502583%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20collecting%20Windows%20Firewall%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502583%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F712447%22%20target%3D%22_blank%22%3E%40saurabh09%3C%2FA%3E%26nbsp%3Byes%20I%20solved%20the%20problem%20reducing%20the%20logfile%20size%20to%202%20KB.%20However%2C%20since%20windows%20firewall%20does%20not%20log%20all%20the%20data%20that%20I%20need%2C%20I%20did%20not%20use%20it%20for%20Analytics%20rules%20in%20Azure%20Sentinel.%20If%20your%20machines%20are%20VMs%20in%20Azure%2C%20I%20suggest%20you%20to%20integrate%20logs%20from%20Network%20Security%20Groups%20but%20it%20would%20require%20you%20to%20setup%20a%20custom%20table%20in%20Log%20Analytics%20Workspace.%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3ESimone%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi community,

I have a problem to collect Windows Firewall events from my Windows 10 VMs.

I enabled the Windows Firewall connector in Sentinel, installed the MMA (64-bit version 10.20.18018.0) on the workstation and enabled the Windows Firewall logs (logs are pushed to the default log file C:\Windows\System32\LogFiles\Firewall\pfirewall.log).

Moreover, I can see events in the event viewer (Microsoft-Windows-Windows Firewall With Advanced Security).

 

Capture1.PNG

 

The Windows Event Logs are added in the Log Analytics as you can see from the following picture.

 

Capture2.PNG

 

However, I cannot see any record from the Windows Firewall table. I have already tried to uninstall and re-install the MMA and reboot the workstation. I think the MMA is working fine because I can retrieve Security Events from my workstations. Also, following the steps proposed by this post https://github.com/Azure/Azure-Sentinel/issues/164 did not help.

Do you have a solution for collecting Windows Firewall events?

Thank you in advance

6 Replies

@simonepatonico A couple quick questions...

 

How long did you wait for the data to show up?

 

Did you verify that the Log Analytics agent is configured and assigned to the correct Log Analytics workspace?

@rodtrent 

I waited for more than 24 hours and still nothing.

 

Yes I configured the correct workspace, indeed the Security Events are coming in the Log Analytics Workspace.

@simonepatonico 

Did you eventually find a solution?

@WouterStinkens Yes, you need to reduce the size of the log file to few KB. I reduced it to 2 KB and it works!

@simonepatonico could you pls tell me if reducing the logfile size to 2KB solved your problem permanently? I was facing the same issue as you and received logs from Windows Firewall as soon as I reduced the logfile size to 2KB but the next day again I couldnt see the Windows Firewall logs.

 

Did you do try any other solution after reducing the logfile size?

@saurabh09 yes I solved the problem reducing the logfile size to 2 KB. However, since windows firewall does not log all the data that I need, I did not use it for Analytics rules in Azure Sentinel. If your machines are VMs in Azure, I suggest you to integrate logs from Network Security Groups but it would require you to setup a custom table in Log Analytics Workspace.

Regards

Simone