This topic explains how to collect Windows Firewall logs.
Windows Firewall provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications.
NXLog can be configured to collect Windows Firewall logs.
Logging Windows Firewall traffic information
The Windows Firewall can be configured to log traffic information via the Advanced Security Log. These logs can provide valuable information like source and destination IP addresses, port numbers, and protocols for both blocked and allowed traffic. The log file follows the standard W3C format—see W3C Extended Log File Format section for more information.
#Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - SEND 2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - RECEIVE 2018-10-16 08:20:36 ALLOW 250 127.0.0.1 127.0.0.1 - - 0 - - - - - - - SEND
There are several different actions that can be logged in the
DROP for dropping a connection,
OPEN for opening a connection,
closing a connection,
OPEN-INBOUND for an inbound session opened to the
local computer, and
INFO-EVENTS-LOST for events processed by the Windows
Firewall but which were not recorded in the Security Log.
For information about configuring the Windows Firewall Security log, please refer to Configure the Windows Defender Firewall with Advanced Security Log on Microsoft Docs.
define EMPTY_EVENT_REGEX /(^$|^\s+$)/ <Extension w3c_parser> Module xm_w3c </Extension> <Input pfirewall> Module im_file File 'C:\Windows\system32\LogFiles\Firewall\pfirewall.log' InputType w3c_parser Exec if $raw_event =~ %EMPTY_EVENT_REGEX% drop(); </Input>
Auditing the activity of Windows Firewall
Change auditing of Windows Firewall is part of a defense-in-depth strategy because it can be used to generate alerts about malicious software that is attempting to modify firewall settings. Auditing can also help administrators determine the network needs of their applications and design appropriate policies for deployment to users.
There are several ways to enable Windows Firewall audit logging.
- Enabling auditing locally via the GUI
Open the Local Security Settings console.
In the console tree, click Local Policies, and then click Audit Policy.
In the details pane of the Local Security Settings console, double-click Audit policy change. Select Success and Failure, and then click OK.
In the details pane of the Local Security Settings console, double-click Audit process tracking. Select Success and Failure, and then click OK.
- Enabling auditing via Group Policy
Alternatively, audit logging can be enabled for multiple computers in an Active Directory domain using Group Policy. Modify the Audit Policy Change and Audit Process Tracking settings at Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in the appropriate domain system containers.
- Auditing with the auditpol.exe
Finally, the following command can be used to enable Windows Firewall audit logs.
> auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable
After audit logging is enabled, audit events can be viewed in the Security event log or collected with NXLog. For a full list of Windows Security Audit events, download the Windows security audit events spreadsheet from the Microsoft Download Center.
This example collects Windows Firewall events from Windows Event Log using the im_msvistalog module.
<Input WinFirewallEventLog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Network Isolation Operational">*</Select> </Query> </QueryList> </QueryXML> </Input>
Collecting Windows Firewall logs from ETW
Event Tracing for Windows (ETW) is a logging and tracing mechanism used by developers. ETW includes event logging and tracing capabilities provided by the operating system. Implemented in the kernel, it traces events in user mode applications, the operating system kernel, and kernel-mode device drivers. For more information, see Event Tracing on Microsoft Docs.
This configuration uses the im_etw module to collect Windows Firewall related traces from Event Tracing for Windows.
<Input etw> Module im_etw Provider Microsoft-Windows-Firewall </Input> <Input etw2> Module im_etw Provider Microsoft-Windows-Windows Firewall With Advanced Security </Input>