Forwarding Windows Server firewall logs to other location like syslog server?

EnterpriseArchitect 4,936 Reputation points
2024-05-22T14:03:53.0433333+00:00

Would it be possible to forward or configure the Windows server firewall logs to a SIEM or SYSLOG server?

Currently, using the official method through Group Policy only allows me to create the log on a specific server locally.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=gpo

Any help would be greatly appreciated.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,431 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,075 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
682 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,763 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,432 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rich Matheisen 45,416 Reputation points
    2024-05-22T19:23:23.9733333+00:00

    You can try using the Get-Content cmdlet and the -Wait parameter.

    I don't know, however, how the firewall logs are managed. Is a new file created every "X" number of characters? Or is the log file used in a circular fashion, where when the file reaches a given size, the firewall starts writing new records at the beginning of the existing file?

    I think each log file is filled and then a new log file created. If that's the case you should be able to transfer each log file as a new one of created. You can combine file system event handling (deletion or creation of a file) to stop and restart your code using a new file name, while you treasfer the "old" file to a centralized collection point.

    You may have better luck finding an existing answer (or better advice) on StackOverflow.com. The solution may be easier to write in C# than PowerShell.

    0 comments No comments