Export (0) Print
Expand All

Interpreting the Windows Firewall Log

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Windows Firewall log file is useful for determining if Windows Firewall is the cause of program failures. It can also be used to help identify malicious activity, although it does not provide the information needed to track down the source of the activity. The Windows Firewall log file is not useful for analyzing the overall security of your network.

The Windows Firewall log is a plaintext file that can be viewed through any text editor. Notepad is the default text editor for the Windows Firewall log file. Depending on the size limit set for the file and the duration of the logging event, a single log file can contain thousands of text entries. To improve its readability in Notepad, disable word wrapping. This will preserve the column formatting. For more information, see View the Windows Firewall Log File.

The following is an example of a Windows Firewall log file:

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE
2005-04-11 08:05:57 DROP UDP 123.45.678.90 255.255.255.255 1631 2234 37 - - - - - - - RECEIVE
2005-04-11 08:05:58 OPEN UDP 123.45.678.90 123.456.78.90 500 500 - - - - - - - - -
2005-04-11 08:05:58 DROP UDP 123.45.678.90 123.456.78.255 138 138 299 - - - - - - - RECEIVE
2005-04-11 08:06:02 CLOSE UDP 123.45.678.90 123.456.78.90 1027 53 - - - - - - - - -
2005-04-11 08:06:02 CLOSE UDP 123.45.678.90 123.456.78.90 137 137 - - - - - - - - -
2005-04-11 08:06:05 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2005-04-11 08:06:26 DROP TCP 123.45.678.90 123.456.78.90 80 1774 576 A 123456789 987654321 12345 - - - RECEIVE
2005-04-11 08:06:27 DROP TCP 123.45.678 90 123.456.78.90 80 1774 576 AP 123456789 987654321 12345 - - - RECEIVE
2005-04-11 08:08:58 DROP ICMP 123.45.678.90 123.456.78.90 7 7 78 - - - - 8 0 - RECEIVE
2005-04-11 08:09:29 OPEN TCP 123.45.678.90 123.456.78.90 1606 445 - - - - - - - - -
2005-04-11 08:09:30 CLOSE TCP 123.45.678.90 123.456.78.90 1607 139 - - - - - - - - -
2005-04-11 08:48:46 DROP TCP 123.45.678.90 123.456.78.90 80 1693 40 A 2351482979 694744025 64675 - - - RECEIVE
2005-04-11 08:48:46 DROP TCP 123.45.678.90 123.456.78.90 80 1693 40 FA 2351482979 694744025 64675 - - - RECEIVE
2005-04-11 08:52:26 INFO-EVENTS-LOST - - - - - - - - - - - - 59 -
noteNote
The preceding log file example has been truncated. Many dropped broadcast packets, which are the most common type of entry, have been removed from this example.

The log file has two sections: the header and the body. The header displays information about Windows Firewall and provides a column heading for the entries that appear in the body section.

The following table lists the information contained in the header of the log file:

 

Item Description

#Version:

Displays which version of the Windows Firewall security log is installed.

#Version: 1.5

#Software:

Displays the name of the software creating the log.

#Software: Microsoft Windows Firewall

#Time:

Indicates that all of the timestamps in the log are in local time.

#Time Format: Local

#Fields:

Displays a static list of fields that are available for security log entries, if data is available. These fields are listed in the following table.

noteNote
The hyphen (-) is used for fields for which no information is available.

The body is the report of information gathered about traffic or attempts to pass through Windows Firewall. The body of the security log is a dynamic list; new entries appear at the bottom of the log.

The following table lists the information contained in the body of the log file:

 

Item Description

date

Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the following format:

YYYY-MM-DD


              2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

time

Displays the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the following 24-hour format:

HH:MM:SS

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

action

Displays which operation was observed by Windows Firewall. The options available are OPEN, OPEN-INBOUND, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but were not recorded in the log.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

protocol

Displays the protocol that was used for the communication. The options available are TCP, UDP, ICMP, and a protocol number for packets that are not TCP, UDP, or ICMP.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

src-ip

Displays the source IP address (the IP address of the computer attempting to establish communication).

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

dst-ip

Displays the destination IP address of a communication attempt.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

src-port

Displays the source port number of the sending computer. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

dst-port

Displays the port number of the destination computer. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

size

Displays the packet size, in bytes.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

tcpflags

Displays the TCP control flags found in the TCP header of an IP packet:

  • Ack Acknowledgment field significant

  • Fin No more data from sender

  • Psh Push function

  • Rst Reset the connection

  • Syn Synchronize sequence numbers

  • Urg Urgent Pointer field significant

2005-04-11 08:06:27 DROP TCP 123.45.678 90 123.456.78.90 80 1726 54 AP 123456789 987654321 12345 - - - RECEIVE

tcpsyn

Displays the TCP sequence number in the packet.

2005-04-11 08:06:278 DROP TCP 123.45.678 90 123.456.78.90 80 1726 54 AP 123456789 987654321 12345 - - - RECEIVE

tcpack

Displays the TCP acknowledgement number in the packet.

2005-04-11 08:06:27 DROP TCP 123.45.678 90 123.456.78.90 80 1726 54 AP 123456789 987654321 12345 - - - RECEIVE

tcpwin

Displays the TCP window size, in bytes, in the packet.

2005-04-11 08:06:27 DROP TCP 123.45.678 90 123.456.78.90 80 1726 54 AP 123456789 987654321 12345 - - - RECEIVE

icmptype

Displays a number that represents the Type field of the ICMP message.

2005-04-11 08:06:27 DROP ICMP 123.45.678.90 123.456.78.90 7 7 78 - - - - 8 0 - RECEIVE

icmpcode

Displays a number that represents the Code field of the ICMP message.

2005-04-11 08:06:27 DROP ICMP 123.45.678.90 123.456.78.90 7 7 78 - - - - 8 0 - RECEIVE

info

Displays an entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action will result in an entry of the number of events that occurred but were not recorded in the log from the time of the last occurrence of this event type.

2005-04-11 08:52:26 INFO-EVENTS-LOST - - - - - - - - - - - - 59 -

path

Displays the direction of the communication. The options available are SEND, RECEIVE, FORWARD, and UNKNOWN.

2005-04-11 08:05:57 DROP UDP 123.45.678.90 123.456.78.255 137 137 78 - - - - - - - RECEIVE

When to perform this task

  • When attempting to determine if program failure is a result of your Windows Firewall configuration.

  • When searching for malicious activity on your network.

Task requirements

No special tools are required to complete this task.

Task procedures

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft