7

I have read many similar articles and posts on how to enable windows firewall logging. I have Win2k8r2 server without any Active Directory, DC, domains and other complicated stuff. Almost all of this article references to GPO and enabling it. The issue I even don't have it in my system. I tried to invoke "gpmc.msc" from my console but it seems I should intall it before using.

Then I set a windows firewall log file location to D:\pfirewalll.log. It creates two files: prifrewall.log and pfirewall.log.old. These have any necessary file system permissions. And they are always blank!

I don't know is there any other mechanisms to turn it on. Should I leverage something in windows registry to make it alive?

Thanks in advance, guys!

kseen
  • 181
  • 1
  • 1
  • 4
  • Try stopping and restarting the Windows Firewall service. Then try accessing the server from another machine via RDP, UNC, etc. and then check the firewall log. – joeqwerty May 22 '12 at 13:32
  • @joeqwerty I have access to that server only thru RDP. Will I save access if I restart firewall service? – kseen May 22 '12 at 14:00
  • You may lose your connection for a minute but you should be able to reconnect. From the Services applet, select the service, then click the restart button. This will stop then restart the service. – joeqwerty May 22 '12 at 15:04

6 Answers6

7

There are 3 profiles available (domain/private/public). You can view which is "active" on the top node "Windows Firewall with Advanced Security" of the MMC. Please ensure the profile that is active is the one you enabled and configure the firewall logging for. You can configure the settings the same for all 3 profiles or have a unique configuration for each.

Jacob
  • 321
  • 2
  • 5
2

In my case, it happened after promoting a Windows 2012R2 as a Domain Controller.

Adding the NT SERVICE\MPSSVC account with Full Controll permissions on the C:\Windows\System32\LogFiles\Firewall folder and restarting the server solved my problem.

Luke
  • 439
  • 2
  • 6
  • 15
0

I addition to what has been said by others, after you ensure log location in firewall UI is pointing to correct location then in the following order:

  1. Make sure log files are generated in specified location
  2. Grant write permission to all generated log files
  3. Also grant write permission to folder in which log files reside

You need to grant write for NT SERVICE\mpssvc as well as your windows user account from which you plan to read logs.

If log files aren't generated, temporary change setting to log successful connection, this will force generating new logs. In which case you need to grant permissions again (step 2 and 3)

Keep in mind that if log location is not default, then any change made to firewall settings anywhere will cause your write permissions to be overridden and you need to repeat steps 2 and 3.

Also changing log location in FW UI requires system reboot!

metablaster
  • 126
  • 3
0

In the Firewall UI, where you configured logging, have you set it to actually log the packets?

-> "Log dropped packets" and "Log successful connections" to YES?

MichelZ
  • 11,068
  • 4
  • 32
  • 59
0

I've found that log viewers like CM Trace or Trace 32 have trouble viewing anything more than the firewall log headers. If you open it with notepad I think you'll find that it's logging properly.

RedGazelle
  • 5
  • 4
0

One thing to check: is the file >0KB? If so, it seems several applications aren't checking READ permission, and instead just displaying an "empty" file.

The file was always being created 'inherit security permissions' turned off, and explicitly had no read access for my user account (despite being local admin).

After explicitly adding my user account, I can open and view contents.

However, if Windows recreates the log again (following reboot, or changing log settings), the permissions are reverted back.

gregmac
  • 1,579
  • 4
  • 18
  • 27