Logging firewall events
I have added a firewall rule to block access from a particular external ip range from where there have been large numbers of attempted logins to SQL Server. I would like a log which contains the inbound connection attempts which are now being blocked by
this rule.
When I look in the logging settings there appear to be only two logging options: (i) Log dropped packets, (ii) Log successful connections.
So how do I log unsuccessful connections ? - or log the activity associated with a particular rule ? - and can these events be channelled to the windows event viewer ?
thxAndrew G
July 12th, 2011 4:50am
The router or hardware firewall would be the first block and provides a log. Configure those to block the IP range.
How are these intrusions getting past those? An internal attacker on the network?
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2011 9:15am
Yes, I could do that - but that doesn't really address the issue of how to get the software firewall to log events - which is what I asked.Andrew G
July 12th, 2011 9:21am
When I look in the logging settings there appear to be only
two logging options: (i) Log dropped packets, (ii) Log
successful connections.
Exactly; the first option will log the "unsuccessful connections"
that is the connection attempts which are dropped due to filter
rules in the firewall - the second option will instead log all the
connections which the firewall will let through
My suggestion is to check BOTH options and ensure to raise the logfile
size; start by using a value of 8192, then keep an eye on your box to
check when the firewall log gets "rotated" (more later) at that point,
if the rotation takes place too often, increase the size of the logfile
As for the rotation, the firewall will log entries up to the given "max
size" and, as soon as it's reached, the log file will be renamed (ok
copied over) as ".log.old" and a new ".log" file will be created, so,
after some time, you'll find two log files inside the logs folder, the
current one (.log) and the previous one (.log.old)
A last note; to ease the task of revising the logs, you may set up a
(scheduled) script to import the logs into (e.g.) a database so that
you'll be able to use whatever query or graphing tool to examine or
graph the data, generate stats and so on
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2011 11:16am
ok thanks - that clears it up.Andrew G
July 12th, 2011 4:09pm