Using the Security Log

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the security log to track Windows Firewall events. The security log provides information about Windows Firewall activity, such as changes to Windows Firewall settings, Windows Firewall startup status, and notifications sent when programs and system services attempt to listen for incoming traffic and are blocked. For more information about the specific events that are written to the security log, see the section titled "Windows Firewall Tools and Settings" in the Windows Firewall Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=42729).

By default, Windows Firewall events are not written to the security log. You must enable auditing in Group Policy to use the security log to track Windows Firewall events.

When to perform this task

You should enable the auditing of Windows Firewall events when you turn on Windows Firewall for the first time, when you need to troubleshoot Windows Firewall problems, or when you need to temporarily monitor Windows Firewall behavior.

Task requirements

No special tools are required to complete this task.

Task procedures

To complete this task, use the following procedures:

• Enable Auditing of Windows Firewall Events

• View Windows Firewall Events in Event Viewer

See Also

Concepts

Using the Windows Firewall Log Best Practices for Monitoring Windows Firewall