Configure the Windows Firewall Log

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node (for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2) or Windows Firewall (for Windows XP or Windows Server 2003) in the Group Policy Management MMC snap-in.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

In this topic:

  • To configure Windows Firewall logging for Windows Vista or Windows Server 2008

  • To configure Windows Firewall logging for Windows XP or Windows Server 2003

To configure Windows Firewall logging for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

  1. Open the Group Policy Management Console to Windows Firewall with Advanced Security.

  2. In the details pane, in the Overview section, click Windows Firewall Properties.

  3. For each network location type (Domain, Private, Public), perform the following steps.

    1. Click the tab that corresponds to the network location type.

    2. Under Logging, click Customize.

    3. The default path for the log is %windir%\system32\logfiles\firewall\pfirewall.log. If you want to change this, clear the Not configured check box and type the path to the new location, or click Browse to select a file location.

Important

The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file. 

4.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.  
      
5.  No logging occurs until you set one of following two options:  
      
      - To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.  
          
      - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.  
          
6.  Click **OK** twice.

To configure Windows Firewall logging for Windows XP or Windows Server 2003

  1. Open the Group Policy Management Console to Windows Firewall.

  2. In the navigation pane, click either Domain Profile or Standard Profile.

  3. In the details pane, double-click Windows Firewall: Allow logging.

  4. Click Enabled.

  5. No logging actually occurs until you set one of following two options:

    • To create a log entry when Windows Firewall drops an incoming network packet, select Log dropped packets.

    • To create a log entry when Windows Firewall allows an inbound connection, select Log successful connections.

  6. The default path for the log is %windir%\pfirewall.log. If you want to change this, type the path to the new location, or click Save As to select a file location.

  7. The default maximum file size for the log is 4096 KB. If you want to change this, type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.

  8. Click OK twice.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.