Forwarding Windows Server firewall logs to other location like syslog server?

EnterpriseArchitect 6,041 Reputation points
2024-05-22T14:03:53.0433333+00:00

Would it be possible to forward or configure the Windows server firewall logs to a SIEM or SYSLOG server?

Currently, using the official method through Group Policy only allows me to create the log on a specific server locally.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=gpo

Any help would be greatly appreciated.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rich Matheisen 47,901 Reputation points
    2024-05-22T19:23:23.9733333+00:00

    You can try using the Get-Content cmdlet and the -Wait parameter.

    I don't know, however, how the firewall logs are managed. Is a new file created every "X" number of characters? Or is the log file used in a circular fashion, where when the file reaches a given size, the firewall starts writing new records at the beginning of the existing file?

    I think each log file is filled and then a new log file created. If that's the case you should be able to transfer each log file as a new one of created. You can combine file system event handling (deletion or creation of a file) to stop and restart your code using a new file name, while you treasfer the "old" file to a centralized collection point.

    You may have better luck finding an existing answer (or better advice) on StackOverflow.com. The solution may be easier to write in C# than PowerShell.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.