Information Technology Reference
In-Depth Information
The log file itself is recorded in the W3C Extended Log File Format. This is an industry
standard format that will allow you to analyze the log file in a simple text editor like Notepad,
or to import log information into a database for analysis with third-party tools. The file begins
with a header that lists the fields that are recorded, as follows:
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size
tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
After the header, the body of the log file begins. Each line in the body records a packet that
was either dropped or allowed to pass through the firewall. Each field in the body of the file
corresponds to the title listed in the header; a dash (
-
) indicates that there was no information
to record in that field. For example, a log file entry that records a dropped packet would resemble
the following:
2005-07-15 11:26:36 DROP UDP 10.1.7.30 255.255.255.255
1522 14000 104 - - - - - - - RECEIVE
■
Note
You can also analyze the Windows Firewall log file with the Microsoft Log Parser, which we'll
discuss further in Recipe 3-19.
See Also
Recipe 3-19 for more on auditing Windows Firewall events.
Microsoft TechNet: “W3C Extended Log File Format (IIS 6.0)” (
http://
www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/
676400bc-8969-4aa7-851a-9319490a9bbb.mspx
).
Microsoft TechNet: “Log Parser 2.2” (
http://www.microsoft.com/technet/scriptcenter/
tools/logparser/default.mspx
). This article discusses the free Microsoft Log Parser tool.
3-19. Auditing Windows Firewall Events
Problem
You want to view and manage the Windows event log entries created by the Windows Firewall.
