Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel

This problem has come up enough in the last month or so that its worth a quick-hit blog post to help folks resolve it.

The problem: You enable the Windows Firewall Data Connector in Azure Sentinel, follow the directions, and make sure the Log Analytics agent is installed on the remote system – but the Windows Firewall data never shows up.

The solution: There’s a semi-hidden blurb at the bottom of THIS PAGE that gives you an indication to what the problem is (turn down the log file size) but doesn’t give any direction on how to accomplish it. The directions to resolve this are located HERE, which involves modifying the default maximum file size for the log. Change this value to a default maximum size of 1KB and the log data should start showing up quickly.

P.S. ONLY perform this modification if you are impacted by this issue. For most situations, the Windows Firewall connection works just fine and I’ve yet to determine the difference in the configurations that causes this to happen. If you come across that difference, I’d love to know. Hit me up on Twitter: @rodtrent.