|
| 1 | +--- |
| 2 | +title: Collect Firewall logs with Azure Monitor Agent |
| 3 | +description: Configure collection of Windows Firewall logs on virtual machines with Azure Monitor Agent. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 6/1/2023 |
| 6 | +author: jeffreywolford |
| 7 | +ms.author: jeffwo |
| 8 | +ms.reviewer: jeffwo |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +# Collect firewall logs with Azure Monitor Agent (Preview) |
| 13 | +Windows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocks potentially harmful programs. Windows Firewall logs are generated on both client and server operating systems. These logs provide valuable information about network traffic, including dropped packets and successful connections. Parsing Windows Firewall log files can be done using methods like Windows Event Forwarding (WEF) or forwarding logs to a SIEM product like Azure Sentinel. You can turn it on or off by following these steps on any Windows system: |
| 14 | +1. Select Start, then open Settings. |
| 15 | +1. Under Update & Security, select Windows Security, Firewall & network protection. |
| 16 | +1. Select a network profile: domain, private, or public. |
| 17 | +1. Under Microsoft Defender Firewall, switch the setting to On or Off. |
| 18 | + |
| 19 | +## Prerequisites |
| 20 | +To complete this procedure, you need: |
| 21 | +- Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#azure-rbac). |
| 22 | +- [Data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint). |
| 23 | +- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-overview.md) in the workspace. |
| 24 | +- A Virtual Machine, Virtual Machine Scale Set, or Arc-enabled on-premises machine that is running firewall. |
| 25 | + |
| 26 | +## Add Firewall table to Log Analytics Workspace |
| 27 | +Unlike other tables that are created by default in LAW, the Windows Firewall table must be manually created. Search for the Security and Audit solution and create it. See screenshot below. If the table isn't present you'll get a DCR deployment error stating that the table isn't present in LAW. The schema for the firewall table that gets created is located here: [Windows Firewall Schema](/azure/azure-monitor/reference/tables/windowsfirewall) |
| 28 | + |
| 29 | +[  ](./media/data-collection-firewall-log/security-and-audit-solution.png#lightbox) |
| 30 | + |
| 31 | +## Create a data collection rule to collect firewall logs |
| 32 | +The [data collection rule](../essentials/data-collection-rule-overview.md) defines: |
| 33 | +- Which source log files Azure Monitor Agent scans for new events. |
| 34 | +- How Azure Monitor transforms events during ingestion. |
| 35 | +- The destination Log Analytics workspace and table to which Azure Monitor sends the data. |
| 36 | + |
| 37 | +You can define a data collection rule to send data from multiple machines to multiple Log Analytics workspaces, including workspaces in a different region or tenant. Create the data collection rule in the *same region* as your Analytics workspace. |
| 38 | + |
| 39 | +> [!NOTE] |
| 40 | +> To send data across tenants, you must first enable [Azure Lighthouse](../../lighthouse/overview.md). |
| 41 | +
|
| 42 | +To create the data collection rule in the Azure portal: |
| 43 | +1. On the **Monitor** menu, select **Data Collection Rules**. |
| 44 | +1. Select **Create** to create a new data collection rule and associations. |
| 45 | + |
| 46 | + [  ](media/data-collection-firewall-log/data-collection-rules-updated.png#lightbox) |
| 47 | + |
| 48 | +1. Enter a **Rule name** and specify a **Subscription**, **Resource Group**, **Region**, and **Platform Type**: |
| 49 | + - **Region** specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant. |
| 50 | + - **Platform Type** specifies the type of resources this rule can apply to. The **Custom** option allows for both Windows and Linux types. |
| 51 | + -**Data Collection End Point** select a previously created data [collection end point](../essentials/data-collection-endpoint-overview.md). |
| 52 | + |
| 53 | + [  ](media/data-collection-firewall-log/data-collection-rule-basics-updated.png#lightbox) |
| 54 | +1. On the **Resources** tab: Select **+ Add resources** and associate resources with the data collection rule. Resources can be Virtual Machines, Virtual Machine Scale Sets, and Azure Arc for servers. The Azure portal installs Azure Monitor Agent on resources that don't already have it installed. |
| 55 | + |
| 56 | +> [!IMPORTANT] |
| 57 | +> The portal enables system-assigned managed identity on the target resources, along with existing user-assigned |
| 58 | +> identities, if there are any. For existing applications, unless you specify the user-assigned identity in the |
| 59 | +> request, the machine defaults to using system-assigned identity instead. If you need network isolation using private |
| 60 | +> links, select existing endpoints from the same region for the respective resources or [create a new endpoint](../essentials/data-collection-endpoint-overview.md). |
| 61 | +
|
| 62 | +1. On the **Collect and deliver** tab, select **Add data source** to add a data source and set a destination. |
| 63 | +1. Select **Firewall Logs**. |
| 64 | + |
| 65 | + [ ](media/data-collection-firewall-log/firewall-data-collection-rule.png#lightbox) |
| 66 | + |
| 67 | +1. On the **Destination** tab, add one or more destinations for the data source. You can select multiple destinations of the same or different types. For instance, you can select multiple Log Analytics workspaces, which is also known as multihoming. |
| 68 | + |
| 69 | + [  ](media/data-collection-firewall-log/data-collection-rule-destination.png#lightbox) |
| 70 | + |
| 71 | +1. Select **Review + create** to review the details of the data collection rule and association with the set of virtual machines. |
| 72 | +1. Select **Create** to create the data collection rule. |
| 73 | + |
| 74 | +> [!NOTE] |
| 75 | +> It can take up to 5 minutes for data to be sent to the destinations after you create the data collection rule. |
| 76 | +
|
| 77 | + |
| 78 | +### Sample log queries |
| 79 | + |
| 80 | +Count the firewall log entries by URL for the host www.contoso.com. |
| 81 | + |
| 82 | +```kusto |
| 83 | +WindowsFirewall |
| 84 | +| take 10 |
| 85 | +``` |
| 86 | + |
| 87 | +[  ](media/data-collection-firewall-log/law-query-results.png#lightbox) |
| 88 | + |
| 89 | +## Troubleshoot |
| 90 | +Use the following steps to troubleshoot the collection of firewall logs. |
| 91 | + |
| 92 | +### Run Azure Monitor Agent troubleshooter |
| 93 | +To test your configuration and share logs with Microsoft [use the Azure Monitor Agent Troubleshooter](use-azure-monitor-agent-troubleshooter.md). |
| 94 | + |
| 95 | +### Check if any firewall logs have been received |
| 96 | +Start by checking if any records have been collected for your firewall logs by running the following query in Log Analytics. If the query doesn't return records, check the other sections for possible causes. This query looks for entries in the last two days, but you can modify for another time range. |
| 97 | + |
| 98 | +``` kusto |
| 99 | +WindowsFirewall |
| 100 | +| where TimeGenerated > ago(48h) |
| 101 | +| order by TimeGenerated desc |
| 102 | +``` |
| 103 | + |
| 104 | +### Verify that firewall logs are being created |
| 105 | +Look at the timestamps of the log files and open the latest to see that latest timestamps are present in the log files. The default location for firewall log files is C:\windows\system32\logfiles\firewall\pfirewall.log. |
| 106 | + |
| 107 | +[  ](media/data-collection-firewall-log/firewall-files-on-disk.png#lightbox) |
| 108 | + |
| 109 | +To turn on logging follow these steps. |
| 110 | +1. gpedit {follow the picture} |
| 111 | +2. netsh advfirewall>set allprofiles logging allowedconnections enable |
| 112 | +3. netsh advfirewall>set allprofiles logging droppedconnections enable |
| 113 | + |
| 114 | +[  ](media/data-collection-firewall-log/turn-on-firewall-logging.png#lightbox) |
| 115 | + |
| 116 | +## Next steps |
| 117 | +Learn more about: |
| 118 | +- [Azure Monitor Agent](azure-monitor-agent-overview.md). |
| 119 | +- [Data collection rules](../essentials/data-collection-rule-overview.md). |
| 120 | +- [Data collection endpoints](../essentials/data-collection-endpoint-overview.md) |
0 commit comments