Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,517 questions
How do I get windows firewall logs my workspace?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 78%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
F S
0
Reputation points
I have a W11 endpoint, not a VM btw. I deployed AMA through Intune. AMA is running fine. My workspace is only showing Heartbeat logs for the endpoint.
I need FW logs. I made sure public, private & domain profiles are enabled on my endpoint. I made sure logging for successful & dropped packets are enabled on all profiles too. I checked my firewall logs and there are firewall logs accumulating.
I have a data connector (Windows Firewall) connected to my workspace. It shows connected and is configured properly. I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.
Is there something I'm missing to get the FW logs to show in my workspace?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési 251 Reputation points2025-03-12T06:20:57.86+00:00 1: When you say 'I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.' - does this mean you have it connected and it just stopped working without you doing anything, or had you made some changed before it stopped working?
2: Can you see the data anywhere in Sentinel? Maybe they are not in their native location for any reasons that can cause the connector to show 'disconnected'.
3: You can enable the DCR diagnostic settings to see whether they create any error messages in your Sentinel.
4: Have you deployed the DCR from the connector page? If so, have you made any changes in the DCR manualy, or is it the default DCR?
5: If you go to your machine, can you see the DCR config there? I've seen some machines not downloading the DCR settings. In this case, some changes in the DCR or reassigning the DCR usually solved the problem for me.
-
F S 0 Reputation points
2025-03-12T17:11:29.2833333+00:00 It stopped working without me doing anything. I just checked again this morning and now the Windows Firewall data connector is also disconnected. A week ago I originally installed 3 data connectors (Windows Firewall, Windows Firewall via AMA, and Windows Security Events via AMA) and it looks like only the Windows Security Events via AMA is still there. Maybe I should start troubleshooting from here first?BTW forgot to mention that everything is all new to me, so I could definitely be setting things up wrong.
Also, how do I check DCR settings on my machine?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 975 Reputation points Microsoft External Staff2025-03-20T08:10:21.9666667+00:00 Hello F S,
Apologies for the delay in response.
Since you mentioned that the data connector for Windows Firewall is now disconnected, as you said it might be helpful to start by checking the configuration and status of your data connectors.
- Revisit the "Data Connectors" section in the Azure Monitor and ensure that the Windows Firewall and Windows Firewall via AMA connectors are properly configured.
- Check that the connectors are enabled and linked to the correct Log Analytics workspace.
Also, how do I check DCR settings on my machine?
- Go to the Azure portal and navigate to "Azure Monitor" -> "Data Collection Rules."
- Locate the DCR associated with the Windows Firewall via AMA data connector.
- Ensure that the DCR is correctly configured to collect the necessary Windows Firewall logs. It should include the relevant event IDs and sources for firewall logs.
- Ensure the DCR is assigned to the correct scope, which should include the endpoint you are monitoring.
- Check that the right machines are associated with the DCR by verifying the scope settings.
And verify that AMA is deployed and running on the endpoint. You can check this in the "Services" management console (
services.msc) on the Windows endpoint.And make sure that both the endpoint and the Azure Monitor Agent (AMA) are up to date with the latest patches and updates.
Restart the endpoint to ensure all configurations are correctly applied and services are running as expected.
Please get back to us if you encounter any challenges.
If the comment is helpful, please click Upvote.
Thanks
-
F S 0 Reputation points
2025-03-20T20:22:34.1266667+00:00 So I went back to the Windows Firewall connector page and then under the configuration section, I installed the Windows Firewall Solution. It's showing connected again.
I went to Windows Firewall Events via AMA and for pre-requisites, it says: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled.
I assumed I didn't need to have Azure Arc for my endpoint since I installed AMA. Am I wrong for assuming that?
Under the configuration section, I have a DCR set up:
Under Basic, I have the name, subscription, and resource group.
Under Resources, it never loads. It looks like it's trying to load but nothing ever pops up.
Under Collect, I have the Domain, Private, and Public profiles selected.The next tab is Review & Create.
Is there a section where I should be able to include Event IDs?Other than that, idk what I have to do here to get it to show as connected.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Naveena Patlolla 1,130 Reputation points Microsoft External Staff2025-03-20T23:57:00.8366667+00:00 Hi F S,
Azure Arc is essential for non-Azure machines (such as on-premises or other cloud environments) to integrate with Azure services like Azure Monitor.
It allows these machines to function as Azure resources, enabling centralized management and monitoring.
If your endpoint is an Azure VM, Azure Arc is not required. However, for non-Azure machines, Azure Arc is mandatory to use the Azure Monitor Agent (AMA) and collect data.
Since you've installed AMA, ensure that Azure Arc is also installed and enabled if your machine is non-Azure.
https://learn.microsoft.com/en-us/azure/azure-arc/choose-service https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-server
After OnBoarding Azure ARC Go to Azure Monitor → Data Collection Rules
Please "upvote" if the comment is helpful
Sign in to comment
Sign in to answer