I was browsing trough Operations Management Suite and in the Security and Audit Solution I’ve noticed something new. There was a tile with text “Distinct IP Addresses Accessed”.
When I first saw that tile my number was 0. Clicking on the tile lead me to the following query:
Type=WindowsFirewall CommunicationDirection=SEND | measure count() by RemoteIP
This hinted me that this information is not coming from Security event log. Logging to a server where I have the Microsoft Monitoring Agent installed I was able to find the Management Pack that gathers that log:
This also showed me from where those events are taken. Quick search over Internet I’ve found how to enable those logs with group policy. You need to create or use existing group policy. Edit the group policy. Go to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Windows Firewall with Advanced Security –> Windows Firewall with Advanced Security. On that page you will see a link Windows Firewall Properties:
Clicking on it will allow you to configure logging for every Windows Firewall Profile – Domain, Private and Public.
When you click customize you can configure the location of the logs, in what size the logs are created and should dropped packets be log and or successful connections as well.
You can leave the location not configured as this will use the default one and that is what we need. I lower the limit to lower size because OMS will pick only the old non-active logs. And I also enable dropped packets and successful connections.
You can enable the same settings on specific profile or on all Windows Firewall profiles.
After enabling this policy on the servers of your choice you will start to see that tile populated and of course when you click on the tile a query will be executed and will show results:
Hope this will be helpful for you in enabling OMS.
One thought on “Windows Firewall Auditing with Operations Management Suite”