- OS Support
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elasticsearch and Kibana
- 67. F5 BIG-IP
- 68. File Integrity Monitoring
- 69. FreeRADIUS
- 70. Google Chronicle
- 71. Graylog
- 72. HP ProCurve
- 73. IBM QRadar SIEM
- 74. Industrial Control Systems
- 75. Linux Audit System
- 76. Linux system logs
- 77. Log Event Extended Format (LEEF)
- 78. Logstash
- 79. McAfee Enterprise Security Manager (ESM)
- 80. McAfee ePolicy Orchestrator
- 81. Microsoft Active Directory Domain Controller
- 82. Microsoft Azure
- 83. Microsoft Azure Event Hubs
- 84. Microsoft Azure Sentinel
- 85. Microsoft Exchange
- 86. Microsoft IIS
- 87. Microsoft SharePoint
- 88. Microsoft SQL Server
- 89. Microsoft System Center Endpoint Protection
- 90. Microsoft System Center Configuration Manager
- 91. Microsoft System Center Operations Manager
- 92. MongoDB
- 93. Nagios Log Server
- 94. Nessus Vulnerability Scanner
- 95. NetApp
- 96. .NET application logs
- 97. Nginx
- 98. Okta
- 99. Oracle Database
- 100. Osquery
- 101. Postfix
- 102. Promise
- 103. Raijin Database Engine
- 104. Rapid7 InsightIDR SIEM
- 105. RSA NetWitness
- 106. SafeNet KeySecure
- 107. Salesforce
- 108. Snare
- 109. Snort
- 110. Solarwinds Loggly
- 111. Splunk
- 112. Sumo Logic
- 113. Symantec Endpoint Protection
- 114. Synology DiskStation
- 115. Syslog
- 116. Sysmon
- 117. Ubiquiti UniFi
- 118. VMware vCenter
- 119. Windows AppLocker
- 120. Windows Command Line Auditing
- 121. Windows Event Log
- 122. Windows Firewall
- 123. Windows Group Policy
- 124. Windows Management Instrumentation (WMI)
- 125. Windows PowerShell
- 126. Microsoft Windows Update
- 127. Windows USB auditing
- 128. Zeek (formerly Bro) Network Security Monitor
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
This topic explains how to collect Windows Firewall logs.
Windows Firewall provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications.
NXLog can be configured to collect Windows Firewall logs.
The Windows Firewall can be configured to log traffic information via the Advanced Security Log. These logs can provide valuable information like source and destination IP addresses, port numbers, and protocols for both blocked and allowed traffic. The log file follows the standard W3C format—see W3C Extended Log File Format section for more information.
#Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - SEND 2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - RECEIVE 2018-10-16 08:20:36 ALLOW 250 127.0.0.1 127.0.0.1 - - 0 - - - - - - - SEND
There are several different actions that can be logged in the
DROP for dropping a connection,
OPEN for opening a connection,
closing a connection,
OPEN-INBOUND for an inbound session opened to the
local computer, and
INFO-EVENTS-LOST for events processed by the Windows
Firewall but which were not recorded in the Security Log.
For information about configuring the Windows Firewall Security log, please refer to Configure the Windows Defender Firewall with Advanced Security Log on Microsoft Docs.
Change auditing of Windows Firewall is part of a defense-in-depth strategy because it can be used to generate alerts about malicious software that is attempting to modify firewall settings. Auditing can also help administrators determine the network needs of their applications and design appropriate policies for deployment to users.
There are several ways to enable Windows Firewall audit logging.
- Enabling auditing locally via the GUI
Open the Local Security Settings console.
In the console tree, click Local Policies, and then click Audit Policy.
In the details pane of the Local Security Settings console, double-click Audit policy change. Select Success and Failure, and then click OK.
In the details pane of the Local Security Settings console, double-click Audit process tracking. Select Success and Failure, and then click OK.
- Enabling auditing via Group Policy
Alternatively, audit logging can be enabled for multiple computers in an Active Directory domain using Group Policy. Modify the Audit Policy Change and Audit Process Tracking settings at Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in the appropriate domain system containers.
- Auditing with the auditpol.exe
Finally, the following command can be used to enable Windows Firewall audit logs.
> auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable
After audit logging is enabled, audit events can be viewed in the Security event log or collected with NXLog. For a full list of Windows Security Audit events, download the Windows security audit events spreadsheet from the Microsoft Download Center.
This example collects Windows Firewall events from Windows Event Log using the im_msvistalog module.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <Input WinFirewallEventLog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Network Isolation Operational">*</Select> </Query> </QueryList> </QueryXML> </Input>
Event Tracing for Windows (ETW) is a logging and tracing mechanism used by developers. ETW includes event logging and tracing capabilities provided by the operating system. Implemented in the kernel, it traces events in user mode applications, the operating system kernel, and kernel-mode device drivers. For more information, see Event Tracing on Microsoft Docs.
This configuration uses the im_etw module to collect Windows Firewall related traces from Event Tracing for Windows.