Eric's Networking

Overview of the Windows Firewall Security Log File in Windows XP

Summary

The Windows Firewall log allows advanced users to collect and identify inbound traffic. You can log dropped packets and successful connections. Security logging does not need to be enabled for Windows Firewall to function. Because security logging is considered an advanced option, it is not enabled by default. To enable logging, follow these steps:

  1. Click Start, Run, and type firewall.cpl, and then click Ok.
  2. Click the Advanced tab.
  3. Under Security Logging, click the Settings button.
  4. In the Log Settings, click to select the Log dropped packets and Log successful connections checkboxes, and then click Ok.
  5. Click Ok to close the Windows Firewall.

Once logging is turned on all of the information is written to a file called, pfirewall.log. The log file is stored in the %systemroot%\Windows directory. When the file reaches its maximize size, the information is written to a new file, pfirewall.log.1. The newest data is stored in the pfirewall.log and contains all information you choose to log.

More Information

The security log contains two sections. The Header provides information about the version of the log and the fields available. The body of the log is the compiled data that is entered as a result of traffic that tries to cross the firewall.

These fields are written from left to right across the page. The (-) is used when there is no entry available for the field. The data below corresponds to each field directly below each header field across the top, although the fields do not line up. Your log file may be slightly different. The important thing about the log is that this will give you clues about what is trying to tamper with your network or your PC.

In this log file, both successful connections as well as dropped packets are being logged. The first six lines consist of three repeated attempts that connect on port 445. The connection for these attempts were dropped. DROP indicates a packet blocked. The next few lines show that TCP on port 445 and 139 were open, followed by CLOSE in the last two lines. CLOSE indicates a normal closure of a TCP connection that was opened in the firewall. This is only logged when "Log successful connections" is checked.

Notes:

  • The log is a W3C Extended File format log. This means it can be opened and analyzed in Notepad, written to a database, or by third party logging utilities.

Last Modified: 2015-04-29.