How do I get windows firewall logs my workspace?

Question

How do I get windows firewall logs my workspace?

F S 25

I have a W11 endpoint, not a VM btw. I deployed AMA through Intune. AMA is running fine. My workspace is only showing Heartbeat logs for the endpoint.

I need FW logs. I made sure public, private & domain profiles are enabled on my endpoint. I made sure logging for successful & dropped packets are enabled on all profiles too. I checked my firewall logs and there are firewall logs accumulating.

I have a data connector (Windows Firewall) connected to my workspace. It shows connected and is configured properly. I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.

Is there something I'm missing to get the FW logs to show in my workspace?

Sándor Tőkési 251 Reputation points

2025-03-12T06:20:57.86+00:00

1: When you say 'I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.' - does this mean you have it connected and it just stopped working without you doing anything, or had you made some changed before it stopped working?

2: Can you see the data anywhere in Sentinel? Maybe they are not in their native location for any reasons that can cause the connector to show 'disconnected'.

3: You can enable the DCR diagnostic settings to see whether they create any error messages in your Sentinel.

4: Have you deployed the DCR from the connector page? If so, have you made any changes in the DCR manualy, or is it the default DCR?

5: If you go to your machine, can you see the DCR config there? I've seen some machines not downloading the DCR settings. In this case, some changes in the DCR or reassigning the DCR usually solved the problem for me.
F S 25 Reputation points

2025-03-12T17:11:29.2833333+00:00

It stopped working without me doing anything. I just checked again this morning and now the Windows Firewall data connector is also disconnected. A week ago I originally installed 3 data connectors (Windows Firewall, Windows Firewall via AMA, and Windows Security Events via AMA) and it looks like only the Windows Security Events via AMA is still there. Maybe I should start troubleshooting from here first?BTW forgot to mention that everything is all new to me, so I could definitely be setting things up wrong.

Also, how do I check DCR settings on my machine?
Vinod Pittala 1,600 Reputation points Microsoft External Staff

2025-03-20T08:10:21.9666667+00:00
Hello F S,

Apologies for the delay in response.

Since you mentioned that the data connector for Windows Firewall is now disconnected, as you said it might be helpful to start by checking the configuration and status of your data connectors.

Revisit the "Data Connectors" section in the Azure Monitor and ensure that the Windows Firewall and Windows Firewall via AMA connectors are properly configured.

Check that the connectors are enabled and linked to the correct Log Analytics workspace.

Also, how do I check DCR settings on my machine?

Go to the Azure portal and navigate to "Azure Monitor" -> "Data Collection Rules."

Locate the DCR associated with the Windows Firewall via AMA data connector.

Ensure that the DCR is correctly configured to collect the necessary Windows Firewall logs. It should include the relevant event IDs and sources for firewall logs.

Ensure the DCR is assigned to the correct scope, which should include the endpoint you are monitoring.

Check that the right machines are associated with the DCR by verifying the scope settings.

And verify that AMA is deployed and running on the endpoint. You can check this in the "Services" management console (services.msc) on the Windows endpoint.

And make sure that both the endpoint and the Azure Monitor Agent (AMA) are up to date with the latest patches and updates.

Restart the endpoint to ensure all configurations are correctly applied and services are running as expected.

Please get back to us if you encounter any challenges.

If the comment is helpful, please click Upvote.

Thanks
F S 25 Reputation points

2025-03-20T20:22:34.1266667+00:00

So I went back to the Windows Firewall connector page and then under the configuration section, I installed the Windows Firewall Solution. It's showing connected again.

I went to Windows Firewall Events via AMA and for pre-requisites, it says: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled.

I assumed I didn't need to have Azure Arc for my endpoint since I installed AMA. Am I wrong for assuming that?

Under the configuration section, I have a DCR set up:

Under Basic, I have the name, subscription, and resource group.
Under Resources, it never loads. It looks like it's trying to load but nothing ever pops up.
Under Collect, I have the Domain, Private, and Public profiles selected.

The next tab is Review & Create.
Is there a section where I should be able to include Event IDs?

Other than that, idk what I have to do here to get it to show as connected.
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-20T23:57:00.8366667+00:00

Hi F S,

Azure Arc is essential for non-Azure machines (such as on-premises or other cloud environments) to integrate with Azure services like Azure Monitor.

It allows these machines to function as Azure resources, enabling centralized management and monitoring.

If your endpoint is an Azure VM, Azure Arc is not required. However, for non-Azure machines, Azure Arc is mandatory to use the Azure Monitor Agent (AMA) and collect data.

Since you've installed AMA, ensure that Azure Arc is also installed and enabled if your machine is non-Azure.

https://learn.microsoft.com/en-us/azure/azure-arc/choose-service

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-server

After OnBoarding Azure ARC Go to Azure Monitor → Data Collection Rules

Please "upvote" if the comment is helpful
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-21T22:57:26.1333333+00:00

Hi F S,
Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.
Vinod Pittala 1,600 Reputation points Microsoft External Staff

2025-03-24T05:23:49.5266667+00:00

Hello F S,

We haven't heard back from you regarding the advice Naveena Patlolla provided earlier. Could you please let us know if it was helpful?

If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.

Thanks
F S 25 Reputation points

2025-03-24T13:24:58.8366667+00:00

Hello,

I was able to get Azure ARC installed onto the endpoint.

I then went to the Windows Firewall Events via AMA data connector page, and edited the DCR so that the resource selected was my endpoint. The data connector still shows disconnected though. Is there something else I need to do?
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-24T20:17:26.0966667+00:00

Hello F S,
Please refer to the below documents
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/troubleshooter-ama-windows?tabs=WindowsPowerShell
https://learn.microsoft.com/en-us/azure/azure-monitor/vm/data-collection-firewall-logs#configure-firewall-logs-data-source
F S 25 Reputation points

2025-03-24T21:30:34.88+00:00
I ran the troubleshooter from the first link and it showed:

These were the results from the troubleshooter:

I continued onto the second link. From there I:

Installed the Security and Audit solution

Configured another DCR following the steps in the link

Tried to verify the data collection but the WindowsFirewall query returned nothing, even after waiting for 20 minutes and restarting my laptop.

Then I followed the troubleshooting steps.

I confirmed FW is enabled.

FW logs are being created.

It said to run the AMA troubleshooter again so now I'm in a loop.
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-25T20:20:08.9133333+00:00

Hello F S,

Thanks for your response.

We are looking into your issue and get back to you soon
Vinod Pittala 1,600 Reputation points Microsoft External Staff

2025-03-26T09:30:29.2233333+00:00

Hello F S,

By looking at the first snippet, I understand that there were two AMA agents installed on your machine. So, before making any other changes, please go to the Control Panel on your machine and search for "Programs and Features." Check if you have two AMA agents installed. If you do, uninstall one of them. Also, check if there are any duplicate log files present in the C: directory.

Additionally, add the Windows event logs from the log analytics workspace.

Go to your target Log analytics workspace and search for Legacy agents management, then add the Windows event log as "Microsoft-Windows-Windows Firewall with Advanced Security/Firewall."

The snippet below is for your reference.

See if it works.
F S 25 Reputation points

2025-03-26T21:03:49.8533333+00:00

It shows that I only have 1 AMA installed. I added the Windows Event Log. It's been about 30 minutes since. I ran this query

search * | summarize Count = count() by $table

and I can still only see 3 tables: Event, Usage, & Heartbeat. The source of the events I get are only from Microsoft-Windows-Security-Auditing.

If this works, does it mean I will see this in the events table but with the source as Microsoft-Windows-Windows Firewall with Advanced Security/Firewall?
Venkat V 1,485 Reputation points Microsoft External Staff

2025-04-01T09:51:56+00:00

Hi @F S

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Accepted answer

0 additional answers

Your answer

Sándor Tőkési 251 Reputation points

2025-03-12T06:20:57.86+00:00

1: When you say 'I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.' - does this mean you have it connected and it just stopped working without you doing anything, or had you made some changed before it stopped working?

2: Can you see the data anywhere in Sentinel? Maybe they are not in their native location for any reasons that can cause the connector to show 'disconnected'.

3: You can enable the DCR diagnostic settings to see whether they create any error messages in your Sentinel.

4: Have you deployed the DCR from the connector page? If so, have you made any changes in the DCR manualy, or is it the default DCR?

5: If you go to your machine, can you see the DCR config there? I've seen some machines not downloading the DCR settings. In this case, some changes in the DCR or reassigning the DCR usually solved the problem for me.
F S 25 Reputation points

2025-03-12T17:11:29.2833333+00:00

It stopped working without me doing anything. I just checked again this morning and now the Windows Firewall data connector is also disconnected. A week ago I originally installed 3 data connectors (Windows Firewall, Windows Firewall via AMA, and Windows Security Events via AMA) and it looks like only the Windows Security Events via AMA is still there. Maybe I should start troubleshooting from here first?BTW forgot to mention that everything is all new to me, so I could definitely be setting things up wrong.

Also, how do I check DCR settings on my machine?
Vinod Pittala 1,600 Reputation points Microsoft External Staff

2025-03-20T08:10:21.9666667+00:00

Hello F S,

Apologies for the delay in response.

Since you mentioned that the data connector for Windows Firewall is now disconnected, as you said it might be helpful to start by checking the configuration and status of your data connectors.

Revisit the "Data Connectors" section in the Azure Monitor and ensure that the Windows Firewall and Windows Firewall via AMA connectors are properly configured.

Check that the connectors are enabled and linked to the correct Log Analytics workspace.

Also, how do I check DCR settings on my machine?

Go to the Azure portal and navigate to "Azure Monitor" -> "Data Collection Rules."

Locate the DCR associated with the Windows Firewall via AMA data connector.

Ensure that the DCR is correctly configured to collect the necessary Windows Firewall logs. It should include the relevant event IDs and sources for firewall logs.

Ensure the DCR is assigned to the correct scope, which should include the endpoint you are monitoring.

Check that the right machines are associated with the DCR by verifying the scope settings.

And verify that AMA is deployed and running on the endpoint. You can check this in the "Services" management console (services.msc) on the Windows endpoint.

And make sure that both the endpoint and the Azure Monitor Agent (AMA) are up to date with the latest patches and updates.

Restart the endpoint to ensure all configurations are correctly applied and services are running as expected.

Please get back to us if you encounter any challenges.

If the comment is helpful, please click Upvote.

Thanks
F S 25 Reputation points

2025-03-20T20:22:34.1266667+00:00

So I went back to the Windows Firewall connector page and then under the configuration section, I installed the Windows Firewall Solution. It's showing connected again.

I went to Windows Firewall Events via AMA and for pre-requisites, it says: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled.

I assumed I didn't need to have Azure Arc for my endpoint since I installed AMA. Am I wrong for assuming that?

Under the configuration section, I have a DCR set up:

Under Basic, I have the name, subscription, and resource group.
Under Resources, it never loads. It looks like it's trying to load but nothing ever pops up.
Under Collect, I have the Domain, Private, and Public profiles selected.

The next tab is Review & Create.
Is there a section where I should be able to include Event IDs?

Other than that, idk what I have to do here to get it to show as connected.
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-20T23:57:00.8366667+00:00

Hi F S,

Azure Arc is essential for non-Azure machines (such as on-premises or other cloud environments) to integrate with Azure services like Azure Monitor.

It allows these machines to function as Azure resources, enabling centralized management and monitoring.

If your endpoint is an Azure VM, Azure Arc is not required. However, for non-Azure machines, Azure Arc is mandatory to use the Azure Monitor Agent (AMA) and collect data.

Since you've installed AMA, ensure that Azure Arc is also installed and enabled if your machine is non-Azure.

https://learn.microsoft.com/en-us/azure/azure-arc/choose-service

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-server

After OnBoarding Azure ARC Go to Azure Monitor → Data Collection Rules

Please "upvote" if the comment is helpful
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-21T22:57:26.1333333+00:00

Hi F S,
Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.
Vinod Pittala 1,600 Reputation points Microsoft External Staff

2025-03-24T05:23:49.5266667+00:00

Hello F S,

We haven't heard back from you regarding the advice Naveena Patlolla provided earlier. Could you please let us know if it was helpful?

If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.

Thanks
F S 25 Reputation points

2025-03-24T13:24:58.8366667+00:00

Hello,

I was able to get Azure ARC installed onto the endpoint.

I then went to the Windows Firewall Events via AMA data connector page, and edited the DCR so that the resource selected was my endpoint. The data connector still shows disconnected though. Is there something else I need to do?
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-24T20:17:26.0966667+00:00

Hello F S,
Please refer to the below documents
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/troubleshooter-ama-windows?tabs=WindowsPowerShell
https://learn.microsoft.com/en-us/azure/azure-monitor/vm/data-collection-firewall-logs#configure-firewall-logs-data-source
F S 25 Reputation points

2025-03-24T21:30:34.88+00:00

I ran the troubleshooter from the first link and it showed:

These were the results from the troubleshooter:

I continued onto the second link. From there I:

Installed the Security and Audit solution

Configured another DCR following the steps in the link

Tried to verify the data collection but the WindowsFirewall query returned nothing, even after waiting for 20 minutes and restarting my laptop.

Then I followed the troubleshooting steps.

I confirmed FW is enabled.

FW logs are being created.

It said to run the AMA troubleshooter again so now I'm in a loop.
Naveena Patlolla 1,720 Reputation points Microsoft External Staff

2025-03-25T20:20:08.9133333+00:00

Hello F S,

Thanks for your response.

We are looking into your issue and get back to you soon
Vinod Pittala 1,600 Reputation points Microsoft External Staff

2025-03-26T09:30:29.2233333+00:00

Hello F S,

By looking at the first snippet, I understand that there were two AMA agents installed on your machine. So, before making any other changes, please go to the Control Panel on your machine and search for "Programs and Features." Check if you have two AMA agents installed. If you do, uninstall one of them. Also, check if there are any duplicate log files present in the C: directory.

Additionally, add the Windows event logs from the log analytics workspace.

Go to your target Log analytics workspace and search for Legacy agents management, then add the Windows event log as "Microsoft-Windows-Windows Firewall with Advanced Security/Firewall."

The snippet below is for your reference.

See if it works.
F S 25 Reputation points

2025-03-26T21:03:49.8533333+00:00

It shows that I only have 1 AMA installed. I added the Windows Event Log. It's been about 30 minutes since. I ran this query

search * | summarize Count = count() by $table

and I can still only see 3 tables: Event, Usage, & Heartbeat. The source of the events I get are only from Microsoft-Windows-Security-Auditing.

If this works, does it mean I will see this in the events table but with the source as Microsoft-Windows-Windows Firewall with Advanced Security/Firewall?
Venkat V 1,485 Reputation points Microsoft External Staff

2025-04-01T09:51:56+00:00

Hi @F S

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Answer 1

I assumed I didn't need to have Azure Arc for my endpoint since I installed AMA. Am I wrong for assuming that?

For any machine that isn't in Azure, the Azure Arc agent must be installed on the machine before the Azure Monitor Agent can be installed. Follow the MS Doc for more details

The reason for not receiving Windows Firewall logs in the Log Analytics workspace, even after installing the Security and Audit solution and enabling the Firewall, may be that logging is not enabled.

Please ensure that firewall logging is enabled on the Windows VM by navigating to Firewall & network protection > Advanced settings. Then, right-click on Windows Defender Firewall, go to Domain Profile, and select Customize under logging.

enter image description here

Please make sure to enable logging for each profile.

Once logging is enabled, the logs will be generated in the following path:

The default location for firewall log files is C:\windows\system32\logfiles\firewall\pfirewall.log.

You can enable logging for all profiles using the following command line:

netsh advfirewall set allprofiles logging allowedconnections enable

netsh advfirewall set allprofiles logging droppedconnections enable

I tested this in my environment, as the firewall logs were not showing before.

enter image description here

I created a Windows VM and enabled Security and Audit, along with a Log Analytics Workspace, as shown below.

enter image description here

Then, I created a DCR rule with endpoint configurations as shown below.

enter image description here

Under Collect and Driver Settings, add a Data Source > Select Firewall Logs > Under the Destination tab, select the previously created Log Analytics workspace.

enter image description here

In the final step, I enabled Windows Firewall logs on my VM as explained above. After 5 to 10 minutes, the Windows Firewall logs appeared in the Log Analytics workspace, as shown below.

enter image description here

**
Reference**: Collect Windows Firewall logs from virtual machine with Azure Monitor

How to use the Windows operating system (OS) Azure Monitor Agent Troubleshooter

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

------------------------------------------------------------------------------------------
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Venkat V 1,485 Reputation points Microsoft External Staff

2025-04-07T04:41:26.3+00:00

Hi @F S

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
F S 25 Reputation points

2025-04-23T16:12:25.61+00:00

Thank you. I had to uninstall everything and install Azure Arc before AMA to get this to work.

Share via

How do I get windows firewall logs my workspace?

0 additional answers

Your answer