How to Centralize Windows Defender Firewall Logs

Very important task in the Security is to find a way and centralize the logs at least of the High important Systems to Monitoring and do further investigation if needed.

You need to see the behaviour of a system in order to identify any issue and get the right decision.

How to Monitoring a system if you don't track logs?

How to be proactive if you don't track logs?

Most of the Firewalls , Routers Security Endpoint Managers use o most common solution which is the Syslog to transfer the Logs in a Log Server.

But how can  track and keep Windows Defender Firewall Logs?

OK I can hear you !!. What do you need Windows Firewall if you have much better firewalls like Cisco ,Fortigate and more ....

Yes you needed in some cases and i will explain right now.

  •  In Windows Server Core edition that you want to deny the communication with other systems internal in your network.
  • For small business that use Windows Defender and wants to isolate the traffic internally between Workstations and Server which belongs in the same VLAN.

These are the most common reason to use Windows Defender Firewall

Today i would like to explain you how can track and keep windows defender Firewall Logs

 

Deploy Windows Defender Firewall with Advance Security with GPO

If you don't have already done find out how can enable Windows Defender Fireall with Advance Security with GPO to centralize the Incoming/Outgoing Rules and not need to change one rule in multiple Workstations/Servers

  • Open the Group Policy Management Console from your Domain Controller.
  • Expand the Computer Configuration -- Windows Settings -- Security Settings -- Windows Firewall with Advanced Security

 

 

  • First let's configure the Settings of the Windows Firewall with Advanced Security
  • Right click in Windows Firewall with Advanced Security. Select Properties
  • For all the Profiles (Domain,Private,Public)  for the State do the following
    • Change the Firewall State to On(recommended)
    • Change the Inbound Connections to (Block Default)
    • Change the Outbound Connections to (Allow Default)

 

  • For all the Profiles (Domain,Private,Public)  in the Settings do the following
    • Click in the Customize Button
    • Most common configuration is to leave all as Not Configured. But in case that all the Incoming/Outgoing Rules wants to centralize and Deploy only from the GPO without have the option to create local Rules in the Workstation or Servers then in the Apply local firewall Rules and Apply local connection security rules change to No.

 

  • For all the Profiles (Domain,Private,Public)  in the Logging do the following:
    • Click in the Customize Button
    • In the Name and the Size limit(KB) uncheck the Not configured
    • In the Log dropped packets and Log successful connections click Yes to enable the Logs of the Windows Defender Firewall.

 

  • Before apply the Group Policy it's recommended to create an Predefined Incoming Rule to have access with the Remote Desktop in the Workstations or Servers after apply the GPO
    • Remote Desktop - User Mode (TCP-In)
    • Remote Desktop - User Mode (UDP-In)
  • Now close it and apply the GPO in the approrriate Organization Units of Workstations or Servers.

 

Install and Configure the Log Server

The Log Server that we will use is the free Edition of the Graylog which has limit until 5 GB Logs per day.

For the installation of the Graylog as Log Server you can read the following Paragraphs  from the article How to collect Applocker Logs from all Endpoints in one place 

  1. How to install Centos 7 in HYPER-V
  2. How to configure network settings of Centos 7 VM
  3. How to install Graylog in Centos 7

 

 

How to forward the Windows Firewall Logs in the Log Server

After install the Graylog as the Log Server it's time to configure Graylog to accept the Windows Defender Firewall Logs.

Windows Defender Firewall Logs write down in a txt file. For this reason we must use the Filebeat from Elasticsearch which included in the Graylog Sidecar Agent.

As per Elastic Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them

 

How to create the Token for the Graylog Sidecar Agent

  • Open Graylog from your Web Browser

  • Click on System/Authentication
  • In the Administrator click Edit Tokens

 

  • Type a Token Name and click Create Token
  • Uncheck the Hide Token and copy the token to use it in the installation of Graylog Sidecar

 

 

How to create the Input to accept the Logs

  • Click in the System/Inputs

  • Click in the Inputs
  • Select the Beats
  • Click in the Launch new Input.

 

  • Write a Title for this input. For example Windows Firewall and click Save

 

The Input that you will create use the port TCP/5504. So you must create an incoming Rule in your Windows Defender Firewall to allow the TCP port 5504 from the Log Server

 

How to install Graylog Sidecar agent

Grayloc Sidecar agent must be setup in every Workstation/Server that want to collect Windows Defender firewall logs.

  • Download the sidecar from here
  • Start the installation in one of the Servers or Workstation that you have apply the GPO
  • Follow the steps of the Wizard.
  • The only thing that you must know is in the following step:
    • Url Address:Change only the ip address with the ip address of your Graylog Server
    • Api token: Copy/Paste the token which create in the above instructions.

 

  • After finish the installation open a command prompt as an Administrator and run the following commands to create and start the Service of the agent
    • "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
    •  "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

 

  • Now go in Graylog, click in the  System -- Sidecar and verify that the Workstation or Server appear.

 

  • If it's not appear then the most common issue is that you don't have open the appropriate port in the Windows Firewall or in your Network Firewall if you have split the Network to different VLAN's to allow the communication.

 

How to configure the Filebeat 

This is the last step in order to start forward the Windows Defender Firewall Logs

After finish with the above steps you must configure the Sidecar in the Graylog to accept the Logs from the Workstations or Servers

  • Click in the System/Inputs --- Sidecar
  • Click Configuration

 

  • Click in the Configuration Button
  • Click in the Create Configuration

 

  • Type  a prefer name.
  • Click in Collector and select filebeat on Windows
  • In the Configuration do the following changes 
    • change the hosts with the ip address of the Graylog Server
    • In the line 13 leave only the filebeat instead of filebeat.input and create a new line with the input.
    • In the line 15 add a line before the type:log
    • In the line 18 change the path with the path of the Windows Defender Firewall Logs. The default path is C:\Windows\system32\logfiles\firewall\pfirewall.log
  • Click Create

 

  • Now click in Overview
  • Select the Server that you have to configure the Sidecar and click Manage Sidecar

 

  • Check the filebeat
  • Click in the Configure and check the Name of the filebeat that you have create in the above steps.
  • In this example is the Windows Firewall

 

  • Click Confirm in the Window that will appear

 

  • Wait a few seconds. If all it's ok then you can see a green arrow in Running.

 

  • If it's nit Running then check the filebeat configuration and the Firewall Rules which are the most common issues.

Click in Search and Wait few seconds. Then the logs will start to appear from the Server or Workstation that configure it.

Have a nice weekend!!

 

 

Tags