Windows firewall logs are marked with a fixed tag: firewall.windows.stdout. For more information on how tags work, check the Introduction to tags article.
How to send Windows firewall logs to Devo?
To send Windows firewall logs to Devo you must:
- Activate the logging of Windows firewall events in a local file of the computer.
- Monitor that file using MagicLog (Devo Windows agent).
Windows configuration to log Windows firewall events
The first step is to activate the logging of Windows firewall events in the operating system. To do it:
- Go to Control Panel → System and Security → Windows Firewall.
- In the left area, click Advanced settings.
- In the Windows Firewall with Advanced Security window, click Properties in the Actions panel.
- The Windows Firewall with Advanced Security on Local Computer Properties window includes a tab for each connection type, corresponding to the Windows connection profile types (public profile, private profile and domain profile). In the Logging section, click Customize...
Here you can choose the events to be logged for each profile type. You can log successful connections, dropped packets or both selecting Yes in the dropdown menus next to each option. You can also enter a name for the log file to be generated for that profile and set its size limit.You can set different configurations for each type of profile. It is recommended to note down the log file names since you will have to enter them in the Windows agent.
Log file collection using the Windows agent
- Execute the Windows agent, by default located at:
- c:\Program Files (x86)\Devo Agents\MagicConfigApp.exe (Windows 64 Bits).
- c:\Program Files\Devo Agents\MagicConfigApp.exe (32-bit Windows).
- Click Next until the MagicLog window appears and select Add...
Note that the events will not be properly parsed unless they are labeled with the firewall.windows.stdout tag. Enter it in the Tag column.
- Enter c:\Windows\system32\logfiles\firewall in the Folder Path field if the Windows firewall log files are generated there.
- Windows logger generates files with the *.log extension. Enter it in the File Pattern field.
- Since logs are plain text, select TEXT in the File Format field.
- In the Search Options field, select All Directories.
- Accept all and restart the Windows Devo agent.
Below you can see an example of the table firewall.windows.stdout: