You are reading:
Protecting Your Data: A Guide to Windows Firewall

The Security Log File Fields

The fourth header line defines the fields in the log file.

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

The date field identifies the date in the format YYYY-MM-DD. Both the date and time are referenced using the local clock date and time.

The local time is displayed in the log file using the format HH:MM:SS. The hours are referenced in 24-hour format.

As the firewall processes traffic, certain actions are recorded. The logged actions are:

  • OPEN - An outbound session was opened to a remote computer.
  • OPEN-INBOUND - An inbound session was opened to the local computer.
  • CLOSE - A session was completed and closed.
  • DROP - Incoming data was purposely dropped by Windows Firewall.
  • INFO-EVENTS-LOST - Events were processed by Windows Firewall, but the event details were not recorded in the security log. This can occur due to excessive resource utilization on the local computer.

The protocol field refers to the IP-based protocol seen by Windows Firewall. This field may display TCP, UDP or ICMP. The Windows Firewall documentation states that this field may also include an IP protocol number if the network traffic isn't TCP, UDP or ICMP.

Extensive IP protocol scans to and from the computer running Windows Firewall did not log any values in this field except for TCP, UDP or ICMP.

The source IP address of the incoming or outgoing network traffic is shown in this field.

The destination IP address of the incoming or outgoing network traffic is shown in this field.

This field shows the TCP or UDP port of the computer sending the network traffic. IP-based protocols other than TCP or UDP do not use port numbers, so those protocol types will display a hyphen in this field.

The destination TCP or UDP port is shown in this field. If the IP protocol is not UDP or TCP, this field will display a hyphen.

This field refers to the size of the IP traffic. This field only refers to the size of the IP portion of the network frame and does not include the size of the DLC header information.

The tcpflags field displays a list of the flags set in the TCP header of an IP frame. These flags can include:

A - ACK, Acknowledgement
R - RST, Reset
U - URG, Urgent
P - PSH, Push

One or more flags can be listed together in the same field and are presented together without spaces. For example, an abnormal TCP frame with all flags enabled will be displayed in the Windows Firewall log as SFARUP.

This field displays the TCP sequence number from the TCP header. This field should not be confused with the TCP header SYN flag, which performs a completely different function than the TCP header sequence number. It's unfortunate that Microsoft chose to name this field tcpsyn, because statistics relating to the SYN flag are not associated with this field.

This field shows the TCP acknowledgment number seen in the TCP header.

This field displays the TCP window size value derived from the TCP header.

If the network traffic seen by Windows Firewall is an ICMP frame, this field identifies the ICMP type value from the ICMP header.

This field displays the ICMP code value from the ICMP header.

The info field shows details related to the action field of the log entry. For example, a log entry of INFO-EVENTS-LOST will display the number of lost events in the info field.

The path field identifies the direction of the network traffic. This field may display SEND, RECEIVE, FORWARD, or UNKNOWN.