Windows Firewall with Advanced Security can be configured to log events that indicate the successes and failures of its processes. The logging settings involve two groups of settings: settings for the log file itself and settings that determine which events the file will record. The settings can be configured separately for each of the firewall profiles.
You can specify where the log file will be created, how big the file can grow, and whether you want the log file to record information about dropped packets, successful connections, or both.
|To get to this dialog box|
From the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall properties.
Select the tab that corresponds to the firewall profile for which you want to configure logging.
In Logging, click Customize.
Enter the path and name of the file in which you want Windows Firewall to write its log information. If you are configuring a Group Policy object (GPO) for deployment to multiple computers, use the available environment variables, such as %windir%, to ensure that the location is correct for each computer on your network.
Just specifying a file location does not start logging. You must also select one of the two check boxes to log dropped packets or successful connections.
If you are configuring the setting for a computer that is running Windows Vista or later version of Windows, and you specify a location other than the default, you must ensure that the Windows Firewall service has permissions to write to that location.
|To grant write permissions for the log folder to the Windows Firewall service|
Locate the folder that you specified for the logging file, right-click it, and then click Properties.
Click the Security tab, and then click Edit.
Click Add, in Enter object names to select, type NT SERVICE\mpssvc, and then click OK.
In the Permissions dialog box, verify that MpsSvc has Write access, and then click OK.
Specify the maximum size to which the file is permitted to grow. The value must be between 1 and 32,767 kilobytes (KB).
When the specified size limit is reached, Windows Firewall with Advanced Security closes the log file and renames it by adding ".old" to the end of the file name. It then creates and uses a new log file that has the original log file name. Only two files are kept at a time. If the second file reaches the maximum size, then it is renamed by adding “.old”, and the original “.old” file is discarded.
Log dropped packets
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.
Log successful connections
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.
The Windows Firewall with Advanced Security operational event log is another resource you can use to view Windows Firewall policy changes. The operational log is always on and contains events for both firewall rules and connection security rules.
|To view the Windows Firewall with Advanced Security event log|
Open Event Viewer. Click Start, click Administrative Tools, and then click Event Viewer.
In the navigation pane, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.
Click either ConnectionSecurity, ConnectionSecurityVerbose, Firewall, or FirewallVerbose. The logs marked “verbose” are not enabled by default. To enable them, in Actions, click Enable Log.