Enabling Audit Events for Windows Firewall with Advanced Security
Applies To: Windows 7, Windows Server 2008 R2
Important
The information in this topic is useful mainly to computers that are running Microsoft® Windows Vista® and Windows Server® 2008. Although the audit events are available in Windows® 7 or Windows Server® 2008 R2, it is more effective to use the operational event logging supported by those versions of Windows. For more information, see Viewing Firewall and IPsec Events in Event Viewer.
By default, Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 does not log anything in the Event Viewer log. The events that can be logged by Windows Firewall with Advanced Security are called “audit” events, and must be enabled. Once enabled, the events generated by Windows Firewall with Advanced Security can be viewed in Event Viewer.
Enable audit events for Windows Firewall with Advanced Security
Viewing firewall and IPsec audit events in Event Viewer
For more information about events that are generated by Windows Firewall with Advanced Security, see Event IDs Used by Windows Firewall with Advanced Security
Enable audit events for Windows Firewall with Advanced Security
To enable audit events, use auditpol.exe, a command-line tool that modifies audit polices of the local computer. You can use the auditpol command-line tool to enable or disable the various categories and subcategories of events and then view the events in the Event Viewer snap-in.
To get the list of event categories recognized by the auditpol tool, type the following at the command prompt:
auditpol.exe /list /category
To get the list of subcategories under a category (this example uses the category Policy Change), type the following at the command prompt:
auditpol.exe /list /category:"Policy Change"
To set a category and a subcategory to enable, type the following at the command prompt:
auditpol.exe /set /category:"CategoryName" /SubCategory:"SubcategoryName"
An example of setting a category and subcategory to enable is:
auditpol.exe /set /category:"Policy Change" /subcategory:"MPSSVC rule-level Policy Change" /success:enable /failure:enable
The events generated by Windows Firewall with Advanced Security span several categories and subcategories. Consider creating a batch file with the auditpol commands that you want that you can use to enable and disable audit events as needed. The following table lists event categories and subcategories that are relevant to troubleshooting Windows Firewall with Advanced Security.
| Category | Subcategories |
|---|---|
Policy Change |
|
Logon/Logoff |
|
System |
|
Object Access |
|
When you change audit policy settings, for changes to take effect, you must either restart the computer or force a manual policy refresh. You can force a manual refresh by typing the following command at the command prompt:
gpupdate /force
After you are done troubleshooting, you can disable the events by changing the enable settings above to disable and rerunning the commands.
Viewing firewall and IPsec audit events in Event Viewer
Once the audit events are enabled, use Event Viewer to view the events in the Security event log.
To view firewall and IPsec audit events in Event Viewer
Click Start, click Control Panel, click System and Maintenance (on Windows Vista and Windows Server 2008) or System and Security (on Windows 7 and Windows Server 2008 R2), and then under Administrative Tools click View event logs.
In Event Viewer, expand Windows Logs and then click Security. In the details pane, you can view the security-related audit events. The list of logged events is displayed at the top of the details pane. Clicking an event in the list displays more detailed information in the bottom of the Details pane. The General tab gives a description of the event in friendly text. The Details tab gives you the option to view the details of the event in either Friendly View or XML View. If you need more information about an event, on the General tab, click Event Log Online Help.