Page 1 of 1
Windows firewall logs
Posted: Mon Jan 06, 2020 10:01 am
by CHCB802
I'm trying to send Windows firewall logs located @ C:\Windows\system32\LogFiles\Firewall\pfirewall.log to the Nagios log server using the article below
https://support.nagios.com/kb/article/n ... s-488.html
I attached my complete nxlog.conf file but here is the section I added. How do you send the Windows firewall logs?
<Input pfirewall>
Module im_file
File 'C:\Windows\system32\LogFiles\Firewall\pfirewall.log'
SavePos FALSE
ReadFromLast FALSE
Exec $Message = $raw_event;
</Input>
<Route 1>
Path internal, file1, eventlog, pfirewall => out
</Route>
Re: Windows firewall logs
Posted: Mon Jan 06, 2020 1:23 pm
by mbellerue
Generally that looks correct. Can you verify that the pfirewall.log file exists and has data in it? That's where my system is set to write firewall logs as well, but I don't even have the file.
Re: Windows firewall logs
Posted: Mon Jan 06, 2020 7:49 pm
by CHCB802
Once you turn your firewall on and enabled logging the file will be created
and the C:\Windows\system32\LogFiles\Firewall\pfirewall.log is the universal storage location on all Windows 10, and Server editions.
Do I need to enter text to use Module im_file ?
Re: Windows firewall logs
Posted: Mon Jan 06, 2020 8:13 pm
by Box293
The guide states that initially it will send all the log data to Nagios Log Server, that is why
SavePos FALSE and
ReadFromLast FALSE are initially defined.
Does the
pfirewall.log file contain data and is it being populated with information?
You can enable debugging on NXLog to see what is happening:
Code: Select all
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
Did you test NXLog before proceeding to add extra logging? Was this a fresh install of NXLog on this machine? It may just be that NXLog is not correctly working, for example firewall ports may not be open.
Re: Windows firewall logs
Posted: Mon Jan 06, 2020 9:58 pm
by CHCB802
Yes, the pfirewall.log does file contain data that begin populated
Yes, I set up NXLog to first send event logs and it works fine, the Nagios Log server gets all the event logs.
I reread the article and missed an important section that stated I had to filter my search for the SourceModuleName on the log server.
It working thanks for talking me through it.
To explain the changes made above, the
name important_application is what
Nagios Log Server will identify as the
SourceModuleName field when it is received.
Re: Windows firewall logs
Posted: Tue Jan 07, 2020 10:23 am
by mbellerue
Excellent, I'm glad you got it working! Thank you for posting the solution back here! I will close this thread.