Protecting Your Data: A Guide to Windows Firewall

You are reading:
Protecting Your Data: A Guide to Windows Firewall

The Security Log File

The Windows Firewall security log consists of a header of descriptive information followed by a line-by-line description of the opened, closed, and dropped network traffic sessions. The format of the log file is similar to the World Wide Web Consortium's (W3C) extended log file format, although the fields and formatting do not fully comply to the W3C standard.

The following is an excerpt from a Windows Firewall security log file:

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2005-11-20 11:43:41 DROP TCP 192.168.0.7 192.168.0.6 1172 3389 48 S 1640769051 0 65535 - - - RECEIVE
2005-11-20 11:43:44 DROP TCP 192.168.0.7 192.168.0.6 1172 3389 48 S 1640769051 0 65535 - - - RECEIVE
2005-11-20 11:43:50 DROP TCP 192.168.0.7 192.168.0.6 1172 3389 48 S 1640769051 0 65535 - - - RECEIVE
2005-11-20 11:43:52 CLOSE TCP 192.168.0.6 207.46.248.254 4280 80 - - - - - - - - -
2005-11-20 11:44:02 DROP TCP 192.168.0.7 192.168.0.6 1173 3389 48 S 3376513444 0 65535 - - - RECEIVE
2005-11-20 11:44:05 DROP TCP 192.168.0.7 192.168.0.6 1173 3389 48 S 3376513444 0 65535 - - - RECEIVE
2005-11-20 11:44:11 DROP TCP 192.168.0.7 192.168.0.6 1173 3389 48 S 3376513444 0 65535 - - - RECEIVE
2005-11-20 11:44:25 CLOSE UDP 192.168.0.6 192.168.0.3 137 137 - - - - - - - - -
2005-11-20 11:44:25 CLOSE UDP 192.168.0.6 192.168.0.1 1625 53 - - - - - - - - -
2005-11-20 11:48:36 OPEN TCP 192.168.0.6 66.102.7.104 4310 80 - - - - - - - - -
2005-11-20 11:48:42 OPEN UDP 192.168.0.6 192.168.0.1 1625 53 - - - - - - - - -
2005-11-20 11:48:42 OPEN TCP 192.168.0.6 207.46.248.248 4311 80 - - - - - - - - -
2005-11-20 11:48:44 OPEN TCP 192.168.0.6 207.46.248.248 4312 80 - - - - - - - - -
2005-11-20 11:48:44 OPEN TCP 192.168.0.6 207.46.248.248 4313 80 - - - - - - - - -
2005-11-20 11:48:44 CLOSE TCP 192.168.0.6 207.46.248.248 4311 80 - - - - - - - -

The four header lines contain information about the origination and format of the file. The first three lines identify the version number, software name, and time format used for this log file:

#Version:
The version definition refers to the version of the Windows Firewall security log being used. This field is not compatible with the W3C version directive.

#Software:
The software designation defines the name of the software used to create the security log. The W3C extended log file format does not include a software directive.

#Time Format:
The log file used in our example defines the time format as "local." I am unable to find any documentation that would identify this field as anything other than local time. This field is probably included for clarity. The W3C standard uses UTC for all time references.

Network Uptime

You are reading:Protecting Your Data: A Guide to Windows Firewall

The Security Log File

You are reading:
Protecting Your Data: A Guide to Windows Firewall