How to Read a Windows Firewall Log
By Chris Hoffman
Microsoft Windows includes a built-in firewall. By default, the firewall does not log any traffic. However, users or system administrators can optionally configure the firewall to log dropped traffic, successful connections or both. If Windows firewall logging is enabled, Windows firewall generates "pfirewall.log" files in the Windows directory hierarchy. You can read the Windows firewall log files by opening them in Notepad.
Open the Windows firewall log directory by clicking "Start," typing "%windir%\system32\logfiles\firewall\" into the search box in the start menu and pressing "Enter." On older versions of Windows, click "Run," type "%windir%\system32\logfiles\firewall\" into the Run dialog box and press "Enter."
Open the most recent Windows Firewall log in Notepad by double-clicking the "pfirewall.log" file or open the older Windows firewall log file in Notepad by double-clicking the "pfirewall.log.old" file, clicking "Select a Program from the List of Installed Programs" and double-clicking "Notepad."
Read the "Fields" line near the top of the log file, it indicates the format of the log file. For example, the line "Fields: date dst-port dst-ip" indicates that all the log file's lines list the date of the connection, a space, the destination port, a space and the destination IP address.
Read the lines beneath the "Fields" header, checking the list after the "Fields:" header to make sense of the listed data.
- Windows generates firewall logs in W3C Extended Log File Format; third-party utilities that support this file format can view the log.
- Windows generates firewall logs only if configured to do so. By default, the Windows firewall does not log traffic. See Microsoft's documentation for information on enabling firewall traffic logging.
Chris Hoffman is a technology writer and all-around tech geek who writes for PC World, MakeUseOf, and How-To Geek. He's been using Windows since Windows 3.1 was released in 1992.