deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update configure-the-windows-firewall-log.md

Browse Source 
Added a paragraph related to the folder creation issue.
This commit is contained in:
msarcletti
2023-10-09 12:33:43 +02:00
committed by GitHub
parent 31032b6cc3
commit aafa943dfc
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
View File

@ -43,7 +43,12 @@ To complete these procedures, you must be a member of the Domain Administrators
### Troubleshooting if the log file is not created or written to
Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically.
Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically.
If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC.
```
New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
```
Verify if mpssvc has FullControl on the folder and the files.
Open an elevated PowerShell and use these commands. Make sure to use the correct path.
@ -70,5 +75,7 @@ $ACL.AddAccessRule($RULE)
```
Restart the Computer to restart the Windows Defender Firewall Service.
### Troubleshooting Slow Log Ingestion
If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation.