[UPD] The logs kinda different, so I changed my question.
Hi.
I need some ideas to create Windows Firewall Rules dashboard.
Right now it's looks:
Pane 1: List of Firewall Rules
4945 - A rule was listed when the Windows Firewall started
Panel 2: Windows Firewall Exception List
4946 - A change has been made to Windows Firewall exception list. A rule was added
4947 - A change has been made to Windows Firewall exception list. A rule was modified
4948 - A change has been made to Windows Firewall exception list. A rule was deleted
Panel 3: Other Changes In Firewall Rules
4954 - Windows Firewall Group Policy settings has changed. The new settings have been applied
4956 - Windows Firewall has changed the active profile
Panel 4: Local Security Policy
index=win_firewall sourcetype="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" host=$host$
| stats count by _time host Application_Path Message User
| rename count as Count _time as Time host as Host Application_Path as "Application Path"
| fieldformat Time=strftime('Time', "%c")
| sort -Time
2011 - Firewall Service Block Notifications
2008 - Firewall Rule Processing
2010 - Network profile changed on an interface
Hi Test_qweqwe,
May be below links are helpful to you:
Hi Test_qweqwe,
May be below links are helpful to you:
Thanks, it will help me!
@test_qweqwe, can you add sample data for one of the events? (Assuming all events have similar structure)
would add maybe the a panel that shows how changed firewall rule and whether they supposed to have permission to do so.
also would maybe check changes across time and hosts and see if many changes where apply at the same time or same changes where applied to multiple hosts
hope it helps
can you share sample logs ?