Support Get Quote

Enabling logging and analyzing Windows firewall logs.

Feb 10, 2022 6 min read

Windows systems have a built-in firewall. Though it doesn't log the network traffic by default, it can be configured and logs of the allowed and denied traffic can be obtained. If firewall logging is authorized, 'pfirewall.log' files will be created in the directory.

How to generate Windows firewall log files

Firewall log generation in Windows is an elementary task. The steps to enable the firewall logs are as follows.


Go to Windows Firewall with Advanced Security, right click on it and click on Properties.


Press Windows (key) + R to open the run box. Type 'wf.msc' and press Enter. The Windows Firewall with Advanced Security screen appears. On the right side of the screen, click Properties.


In the Advanced Security screen that appears, multiple tabs like Domain Profile, Private Profile, Public Profile, IPsec Settings will be visible. Click Private Profile > Logging > Customize.


A new window opens with options to choose the maximum log size, location, and whether to log only dropped packets, a successful connection or both. A dropped packet is a packet that Windows Firewall has blocked. A successful connection may refer to both an incoming connections or any connection that has been made over the Internet.

Go to Log Dropped Packets and switch it to Yes.


Note: Only dropped packets are logged generally. A successful connection doesn't essentially serve the purpose of solving a problem.


After copying the default path for the log file, click OK. Open the destination folder in File Explorer to find a pfirewall.log file.


Copy the file to the desktop and it can be viewed.

Analyzing the Windows firewall logs

The Windows firewall log can be split into two sections, viz. the header and the body. The header provides static information describing the version of the log, and the fields available. The body provides information about the traffic that tries to bypass the firewall. Since it's a dynamic list of logs, new entries are added to the bottom. If no entries are recorded for a field, it is represented using 'hyphen (-)'.

Enabling logging and analyzing Windows firewall logs.

The above image is an example of how a firewall log looks. The key aspects of the above log are:

  • The date and time of the connection.
  • The type of connection and whether it was allowed or dropped.
  • The source and destination IPs and the port that was used for the connection.
  • Information on whether the packets were sent or received.

You may also like


Interested in a
log management

Try EventLog Analyzer
Database platforms

Understanding SQL Server Audit better

Read more
Previous articles
Next articles
Network devices

Critical Windows events: Event ID 6008 - Unexpected system shutdown

Read more

Manage logs, comply with IT regulations, and mitigate security threats.

Seamlessly collect, monitor, and analyze
logs with EventLog Analyzer

Your request for a demo has been submitted successfully

Our support technicians will get back to you at the earliest.

By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

  Zoho Corporation Pvt. Ltd. All rights reserved.

Link copied, now you can start sharing