Exportieren (0) Drucken
Alle erweitern

Enable IPsec and Windows Firewall Audit Events

Letzte Aktualisierung: Januar 2009

Betrifft: Windows Server 2008, Windows Vista

By default, Windows-Firewall mit erweiterten Sicherheitseinstellungen does not generate audit events for either the Windows Firewall service or Internet Protocol security (IPsec). To see the events, you must enable event logging. Because the Windows Firewall and IPsec components can potentially generate a large number of events, consider turning logging on only when you need to troubleshoot Windows Firewall and IPsec issues, and then turn the events off again when you are done.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority. If you do not have the required permissions, then the commands fail and display an error message.

To enable Windows Firewall with Advanced Security audit events

  1. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Wenn das Dialogfeld Benutzerkontensteuerung eingeblendet wird, bestätigen Sie die angegebene Aktion und klicken dann auf Weiter.

  3. At the command prompt, type the following command. You can copy and paste this command into the Command Prompt window:

    auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable

  4. Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER:

    net stop MPSSVC

    net start MPSSVC

  5. When you are ready to disable event logging, run the same command as in step 3, but use /success:disable /failure:disable at the end of the command. Then restart the service by performing step 4 again.

To view the current settings for IPsec and Windows Firewall audit events

  1. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Wenn das Dialogfeld Benutzerkontensteuerung eingeblendet wird, bestätigen Sie die angegebene Aktion und klicken dann auf Weiter.

  3. At the command prompt, type the following command. You can copy and paste this command into a batch file, then and run it that way if you want:

    auditpol.exe /get /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection"

    The command displays all of the current audit events settings for each category.

To see the new audit events in Event Viewer

  1. Open the Event Viewer. Click Start, type eventvwr in the Start Search box, and then press ENTER.

  2. Wenn das Dialogfeld Benutzerkontensteuerung eingeblendet wird, bestätigen Sie die angegebene Aktion und klicken dann auf Weiter.

  3. In the navigation pane, expand the Windows Logs branch.

  4. Right-click Security, and then click Filter Current Log.

  5. In the Includes/Excludes Event IDs box, type 4600-5500, and then click OK.

    Event Viewer displays any events that match the criteria. If you just enabled the audit events, there might be only a few events to view at first.

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Microsoft führt eine Onlineumfrage durch, um Ihre Meinung zur MSDN-Website zu erfahren. Wenn Sie sich zur Teilnahme entscheiden, wird Ihnen die Onlineumfrage angezeigt, sobald Sie die MSDN-Website verlassen.

Möchten Sie an der Umfrage teilnehmen?
Anzeigen:
© 2015 Microsoft