Windows Firewall Auditing with Operations Management Suite


I was browsing trough Operations Management Suite and in the Security and Audit Solution I’ve noticed something new. There was a tile with text “Distinct IP Addresses Accessed”.

image

When I first saw that tile my number was 0. Clicking on the tile lead me to the following query:

Type=WindowsFirewall CommunicationDirection=SEND | measure count() by RemoteIP

This hinted me that this information is not coming from Security event log. Logging to a server where I have the Microsoft Monitoring Agent installed I was able to find the Management Pack that gathers that log:

image

This also showed me from where those events are taken. Quick search over Internet I’ve found how to enable those logs with group policy. You need to create or use existing group policy. Edit the group policy. Go to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Windows Firewall with Advanced Security –> Windows Firewall with Advanced Security. On that page you will see a link Windows Firewall Properties:

image

Clicking on it will allow you to configure logging for every Windows Firewall Profile – Domain, Private and Public.

image

When you click customize you can configure the location of the logs, in what size the logs are created and should dropped packets be log and or successful connections as well.

image

You can leave the location not configured as this will use the default one and that is what we need. I lower the limit to lower size because OMS will pick only the old non-active logs. And I also enable dropped packets and successful connections.

You can enable the same settings on specific profile or on all Windows Firewall profiles.

After enabling this policy on the servers of your choice you will start to see that tile populated and of course when you click on the tile a query will be executed and will show results:

image

Hope this will be helpful for you in enabling OMS.

Advertisements

One thought on “Windows Firewall Auditing with Operations Management Suite

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s