Enabling Audit Events for Windows Firewall with Advanced Security

Applies To: Windows 7, Windows Server 2008 R2

Important

The information in this topic is useful mainly to computers that are running Microsoft® Windows Vista® and Windows Server® 2008. Although the audit events are available in Windows® 7 or Windows Server® 2008 R2, it is more effective to use the operational event logging supported by those versions of Windows. For more information, see Viewing Firewall and IPsec Events in Event Viewer.

By default, Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 does not log anything in the Event Viewer log. The events that can be logged by Windows Firewall with Advanced Security are called “audit” events, and must be enabled. Once enabled, the events generated by Windows Firewall with Advanced Security can be viewed in Event Viewer.

  • Enable audit events for Windows Firewall with Advanced Security

  • Viewing firewall and IPsec audit events in Event Viewer

For more information about events that are generated by Windows Firewall with Advanced Security, see Event IDs Used by Windows Firewall with Advanced Security

Enable audit events for Windows Firewall with Advanced Security

To enable audit events, use auditpol.exe, a command-line tool that modifies audit polices of the local computer. You can use the auditpol command-line tool to enable or disable the various categories and subcategories of events and then view the events in the Event Viewer snap-in.

  • To get the list of event categories recognized by the auditpol tool, type the following at the command prompt:

    auditpol.exe /list /category

  • To get the list of subcategories under a category (this example uses the category Policy Change), type the following at the command prompt:

    auditpol.exe /list /category:"Policy Change"

  • To set a category and a subcategory to enable, type the following at the command prompt:

    auditpol.exe /set /category:"CategoryName" /SubCategory:"SubcategoryName"

An example of setting a category and subcategory to enable is:

auditpol.exe /set /category:"Policy Change" /subcategory:"MPSSVC rule-level Policy Change" /success:enable /failure:enable

The events generated by Windows Firewall with Advanced Security span several categories and subcategories. Consider creating a batch file with the auditpol commands that you want that you can use to enable and disable audit events as needed. The following table lists event categories and subcategories that are relevant to troubleshooting Windows Firewall with Advanced Security.

Category Subcategories

Policy Change

  • MPSSVC rule-level policy change

  • Filtering Platform policy change

Logon/Logoff

  • IPsec Main Mode

  • IPsec Quick Mode

  • IPsec Extended Mode

System

  • IPsec Driver

  • Other system events

Object Access

  • Filtering Platform packet drop

  • Filtering Platform connection

When you change audit policy settings, for changes to take effect, you must either restart the computer or force a manual policy refresh. You can force a manual refresh by typing the following command at the command prompt:

gpupdate /force

After you are done troubleshooting, you can disable the events by changing the enable settings above to disable and rerunning the commands.

Viewing firewall and IPsec audit events in Event Viewer

Once the audit events are enabled, use Event Viewer to view the events in the Security event log.

To view firewall and IPsec audit events in Event Viewer

  1. Click Start, click Control Panel, click System and Maintenance (on Windows Vista and Windows Server 2008) or System and Security (on Windows 7 and Windows Server 2008 R2), and then under Administrative Tools click View event logs.

  2. In Event Viewer, expand Windows Logs and then click Security. In the details pane, you can view the security-related audit events. The list of logged events is displayed at the top of the details pane. Clicking an event in the list displays more detailed information in the bottom of the Details pane. The General tab gives a description of the event in friendly text. The Details tab gives you the option to view the details of the event in either Friendly View or XML View. If you need more information about an event, on the General tab, click Event Log Online Help.