Share via

Log Analytics WindowsFirewall - table transformation not working

Adam Karas 0 Reputation points
2024-10-01T07:28:37.23+00:00

Hello,

I am collecting Windows Firewall logs via AMA from servers - that is working fine, I have ingested logs. But what I am trying to set up is transformation with DCR to collect only DROP records. Transformation KQL source | where FirewallAction != "ALLOW" or source | where FirewallAction == "DROP" (tried both). But still getting all records (ALLOW, DROP) to WindowsFirewall table. I have also tried different queries, filter, but still the same - looks like that transformation is not working.

Any hints where I should take a look, what could be configured wrong ?

Thanks a lot.

BR, AK

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,314 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
435 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavan Minukuri 100 Reputation points Microsoft Vendor
    2024-10-17T22:56:05.34+00:00

    Hi @Adam Karas
    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
    Let’s check out the steps you need to follow

    1. Check DCR Transformation Setup: Ensure the transformation query is correctly applied to the Windows Firewall logs in the DCR. Make sure it's active.
    2. Verify Query in Log Analytics: Test the query (where FirewallAction != "ALLOW" or where FirewallAction == "DROP") in Log Analytics to confirm it returns only DROP records.
    3. Data Collection Rule Assignment: Ensure the DCR is assigned to the right servers and no other rules are collecting logs without transformation.
    4. Schema Mapping: Ensure the field names and values in the logs match the transformation query (like FirewallAction, DROP, ALLOW). Check the raw logs in Log Analytics.
    5. DCR Ingestion Latency: There might be a delay before logs reflect the transformation, so monitor them over time.
    6. Troubleshoot AMA Logs: Check the AMA logs for errors that might be affecting the DCR transformation.
      Reference link :https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview
      https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-query-overview
      If you have any further queries, do let us know.

    If you have any further queries, do let us know.

    If the comment is helpful, please click "Accept Answer " and "Upvote it"

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.