Friday, January 02, 2015

Monitoring Windows (firewall) log file without tail and grep

I like log files. A good log file can tell you a lot about what happened, be it whether a package was successfully installed, why a user could not check mail, or who tried to connect to our voip server. As a result I use log monitoring a lot on Linux/Unix/OSX. You'll always find me with a session running tail, and sometimes grep, against the appropriate log files. That's how I roll.

On Windows, it seems the status quo when something goes boink is to restart services or host, or hope the error message in the dialog box that popped up is useful enough to be googled. But, Windows has log files just like the other programs. Yes, a lot of application developers do not bother to write good logs for their apps, but the OS itself has a metric buttload of logs which might have caught error messages from those applications. So, let's talk a bit about those logs and how to monitor them. I will warn you that as I come from Unix/Linux, I am very command line-oriented, so expect this discussion to be a bit clickety-click challenged.

The way of the land

Windows does create quite a few log files and has directories (or folders if you will). Here is some of what I see in my rather boring default Windows 7 desktop:

C:\>dir Windows\*.log
 Volume in drive C has no label.
 Volume Serial Number is 705E-722F

 Directory of C:\Windows

12/21/2013  05:53 AM             1,774 DtcInstall.log
01/14/2014  02:15 PM             9,640 IE10_main.log
02/17/2014  07:21 PM            26,875 IE11_main.log
12/20/2013  07:19 PM             3,792 IE9_main.log
12/15/2014  07:39 PM             6,564 PFRO.log
12/15/2014  07:39 PM            16,716 setupact.log
07/13/2009  11:51 PM                 0 setuperr.log
12/21/2013  05:53 AM             1,313 TSSysprep.log
01/04/2015  02:07 AM         1,455,242 WindowsUpdate.log
               9 File(s)      1,521,916 bytes
               0 Dir(s)  14,102,495,232 bytes free

C:\>dir Windows\System32\LogFiles
 Volume in drive C has no label.
 Volume Serial Number is 705E-722F

 Directory of C:\Windows\System32\LogFiles

09/23/2014  02:35 AM    <DIR>          .
09/23/2014  02:35 AM    <DIR>          ..
07/14/2009  12:32 AM    <DIR>          Fax
07/13/2009  09:34 PM    <DIR>          Firewall
09/23/2014  02:35 AM    <DIR>          HTTPERR
12/15/2014  07:50 PM    <DIR>          Scm
12/21/2013  04:00 PM    <DIR>          SQM
07/14/2009  12:32 AM    <DIR>          Windows Portable Devices
07/13/2009  11:45 PM    <DIR>          WMI
07/13/2009  09:36 PM    <DIR>          WUDF
               0 File(s)              0 bytes
              10 Dir(s)  14,102,495,232 bytes free

C:\>

Let's say you want to probulate the WindowsUpdate.log file since it sounds interesting. You open it in notepad, which will get unhappy as it is rather large, or wordpad. Or get notepad++ which I personally recommend.

What if you want to see the file in the command line? The equivalent of the Unix/Linux/OSX cat command it type, but you really do not want to run it on that file. Trust me; I just did it and it scrolled long enough for me to write this and the last paragraph. That does not sound impressing but I am a slow typist. I even had time to get the link for notepad++. Next option is to use more, which is just like the same command in the other operating systems. So you would then be able to see (without them just zooming past your eyes) entries like

2014-12-17      00:54:32:864     920    a3c     Agent   Update {E0A75066-D16E-44
D0-8B6E-2B4708ABE781}.201 is pruned out due to potential supersedence
2014-12-17      00:54:32:864     920    a3c     Agent     * Added update {9FF3F8
7F-0DC5-4484-B757-37C4C25D4965}.201 to search result
2014-12-17      00:54:32:864     920    a3c     Agent     * Found 49 updates and
 77 categories in search; evaluated appl. rules of 1876 out of 2659 deployed ent
ities
2014-12-17      00:54:32:911     920    a3c     Agent   *********
2014-12-17      00:54:32:911     920    a3c     Agent   **  END  **  Agent: Find
ing updates [CallerId = AutomaticUpdates]
2014-12-17      00:54:32:911     920    a3c     Agent   *************
2014-12-17      00:54:32:942     920    a3c     Report  REPORT EVENT: {EFE8CD74-
F8C9-4D59-8F52-63D3EA18D227}    2014-12-17 00:54:32:895-0500    1       147
101     {00000000-0000-0000-0000-000000000000}  0       0       AutomaticUpdates
        Success Software Synchronization        Windows Update Client successful
ly detected 49 updates.
2014-12-17      00:54:32:942     920    a3c     Report  CWERReporter finishing e
vent handling. (00000000)
2014-12-17      00:54:32:942     920    a3c     Report  CWERReporter finishing e
vent handling. (00000000)
2014-12-17      00:54:32:942     920    a3c     Report  CWERReporter finishing e
vent handling. (00000000)
2014-12-17      00:54:32:942     920    a3c     Report  CWERReporter finishing e
vent handling. (00000000)
2014-12-17      00:54:32:942     920    a3c     Report  CWERReporter finishing e
vent handling. (00000000)
2014-12-17      00:54:32:942     920    874     AU      >>##  RESUMED  ## AU: Se
arch for updates [CallId = {544A18F0-EC84-497E-ADEE-F8DEF8F09585}]
2014-12-17      00:54:32:942     920    874     AU        # 49 updates detected
2014-12-17      00:54:32:942     920    874     AU      #########
2014-12-17      00:54:32:942     920    874     AU      ##  END  ##  AU: Search
for updates [CallId = {544A18F0-EC84-497E-ADEE-F8DEF8F09585}]
2014-12-17      00:54:32:942     920    874     AU      #############
2014-12-17      00:54:32:942     920    874     AU      Successfully wrote event
 for AU health state:0
2014-12-17      00:54:32:942     920    874     AU      #############
2014-12-17      00:54:32:942     920    874     AU      ## START ##  AU: Refresh
 featured updates info
-- More (0%) --

At this point you might be better off opening this massive file in wordpad or notepad++ and use its search features. But you get the point. However, sometimes you want to see what is being added to a log file in real time. And that dovetails to...

Monitoring

As I mentioned before, when tracking down issues I like to see what a log file spits out as I do something. I will use here a real example that happened today: let's say you have two Windows servers where serverA runs a service on port, say, 8002 that a program on serverB connects to. And example to this setup would be a web server reaching a database server. Problem is that the two servers are not talking to each other. Since both programs/services are commercial products, you contact both vendors. VendorB states it must be a firewall issue or misconfiguration on serverA. You run netstat on serverA and see that the process is running:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TermService
 [svchost.exe]
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:8002           0.0.0.0:0              LISTENING
 [probltr.exe]
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  EventLog
 [svchost.exe]

Next step you do is connect from a machine which is allowed by the network firewall to reach serverA using telnet or nmap or netcat or even your own crafted Powershell script; pick your poison. It works. Then you do the same from serverA, and get the same results. So, then next step now is to see if vendorB's program is talking to serverA.

We could install wireshark, but then we look at the name of this blog entry and decided to use only what comes with Windows. Since we have network questions, let's make the firewall log on both servers a bit more verbose

PS C:\Windows\system32> netsh firewall set logging droppedpackets = enable connections= enable

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

Ok.

PS C:\Windows\system32>
What we told it to do is to log every time a packet is dropped and a connection is started no matter the outcome. We should be good to go but I would sleep better at night by verifying:
PS C:\Windows\system32> netsh firewall show logging

Log configuration:
-------------------------------------------------------------------
File location   = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Enable
Connections     = Enable

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .


PS C:\Windows\system32>
Note that it even told us the path to the firewall log, but we kinda new that from earlier on, right?

So let's do some monitoring, and to do that we need to get some help from Powershell. Now there are many ways to run powershell, but if you are still on the DOS prompt, how about if you just type powershell there? You will know you are in powershell because your prompt is now PS C:\> (note the PS in the front)

C:\>powershell
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\> 
As this blog entry is getting long, and because I know the outcome, I will focus only on serverB.

If you want to emulate

tail -f C:\Windows\system32\LogFiles\Firewall\pfirewall.log
in Powershell, you can do something like

Get-Content -Path "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -wait

Since I only care about the entries that go to serverA whose IP (192.168.1.5) I happen to know, I can emulate

tail -f C:\Windows\system32\LogFiles\Firewall\pfirewall.log | grep '192.168.1.5'
By doing
PS C:\Windows\system32> Get-Content -Path "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -wait| Select-String -pa
ttern "192.168.1.5"

2015-01-02 07:50:09 ALLOW TCP 192.168.2.7 192.168.1.5 34414 5001 0 - 0 0 0 - - - SEND
2015-01-02 09:54:45 ALLOW TCP 192.168.1.5 192.168.2.7 57842 5000 0 - 0 0 0 - - - RECEIVE
2015-01-02 10:08:09 ALLOW TCP 192.168.2.7 192.168.1.5 38365 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:09:09 ALLOW TCP 192.168.2.7 192.168.1.5 38403 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:10:52 ALLOW TCP 192.168.1.5 192.168.2.7 57973 5000 0 - 0 0 0 - - - RECEIVE
2015-01-02 10:13:09 ALLOW TCP 192.168.2.7 192.168.1.5 38525 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:15:09 ALLOW TCP 192.168.2.7 192.168.1.5 38584 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:16:09 ALLOW TCP 192.168.2.7 192.168.1.5 38613 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:19:09 ALLOW TCP 192.168.2.7 192.168.1.5 38674 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:26:09 ALLOW TCP 192.168.2.7 192.168.1.5 38853 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:28:09 ALLOW TCP 192.168.2.7 192.168.1.5 38919 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:34:09 ALLOW TCP 192.168.2.7 192.168.1.5 39090 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:36:09 ALLOW TCP 192.168.2.7 192.168.1.5 39146 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:46:09 ALLOW TCP 192.168.2.7 192.168.1.5 39497 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:47:12 ALLOW TCP 192.168.2.7 192.168.1.5 39528 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:50:09 ALLOW TCP 192.168.2.7 192.168.1.5 39625 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:52:09 ALLOW TCP 192.168.2.7 192.168.1.5 39701 5001 0 - 0 0 0 - - - SEND
2015-01-02 10:54:09 ALLOW TCP 192.168.2.7 192.168.1.5 39770 5001 0 - 0 0 0 - - - SEND
2015-01-02 11:05:40 ALLOW TCP 192.168.2.7 192.168.1.5 40057 5001 0 - 0 0 0 - - - SEND
2015-01-02 11:08:09 ALLOW TCP 192.168.2.7 192.168.1.5 40145 5001 0 - 0 0 0 - - - SEND
2015-01-02 11:13:09 ALLOW TCP 192.168.2.7 192.168.1.5 40306 5001 0 - 0 0 0 - - - SEND
2015-01-02 11:45:09 ALLOW TCP 192.168.2.7 192.168.1.5 41218 5001 0 - 0 0 0 - - - SEND
2015-01-02 11:51:15 ALLOW TCP 192.168.1.5 192.168.2.7 59024 5000 0 - 0 0 0 - - - RECEIVE
2015-01-02 12:22:09 ALLOW TCP 192.168.2.7 192.168.1.5 42375 8002 0 - 0 0 0 - - - SEND

Note that the only time serverB (192.168.2.7) ever connected today to serverA (192.168.1.5) was when I tried to connect to it, in this case using telnet. So, I sent the above to VendorB, which agreed (admited?) their software was misconfigured, and corrected that.

Once you verify both servers are talking to each other, you could then reset the firewall by typing

netsh firewall set logging droppedpackets = disable connections= disable

1 comment:

clod said...

I prefer to use and recommend Codelobster editor