How to Set Up a Win Firewall Log Analyser Easily Windows Firewall is your system’s first line of defense. It blocks unauthorized traffic and keeps your data secure. However, a firewall is only truly effective if you know what it is blocking.
Raw Windows Firewall logs are notoriously difficult to read. They consist of massive, unformatted text files filled with confusing IP addresses and ports. To make sense of this data, you need a dedicated log analyser.
Here is how to set up a Windows Firewall log analyser easily using free, open-source tools. Step 1: Enable Windows Firewall Logging
Before you can analyse logs, Windows must actually generate them. By default, Windows Firewall does not log successful or dropped connections.
Press Win + R, type wf.msc, and press Enter to open Windows Defender Firewall with Advanced Security. In the right-hand actions pane, click Properties.
Select your active profile tab (Domain, Private, or Public). In the Logging section, click Customize. Change “Log dropped packets” to Yes.
Change “Log successful connections” to Yes (Note: This creates very large files; enable it only for temporary troubleshooting).
Copy the listed File name path (usually C:\Windows\System32\LogFiles\Firewall\pfirewall.log) and click OK. Step 2: Choose and Download a Free Log Analyser
For a quick, easy, and visual setup, we will use FWLogView by NirSoft or LogParser Lizard. Both are lightweight, free, and require zero complex database configurations.
FWLogView: Best for a lightweight, instant spreadsheet-style view.
LogParser Lizard: Best for advanced SQL querying and colorful charts.
For this guide, download FWLogView from the official NirSoft website. It runs as a portable executable, meaning it requires no installation. Step 3: Connect the Analyser to Your Logs
Once downloaded, you need to point the software to your active Windows log file.
Right-click the downloaded FWLogView application and select Run as administrator (this ensures it has permission to read system folders).
Go to Options in the top menu and select Advanced Options (or press F9).
Under “Load logs from,” select Standard Windows Firewall log file.
If the path does not match the one you copied in Step 1, browse manually to find your pfirewall.log file. Click OK.
The tool will immediately parse the raw text file into a clean, readable table. Step 4: Reading and Filtering the Data
Now that your data is visual, you can easily spot security threats or connection issues. The tool organizes your data into helpful columns:
Action: Look for DROP to see what Windows blocked. Look for ALLOW to see successful traffic.
Source IP: The identity of the computer trying to communicate. Look out for external, unfamiliar IP addresses.
Destination Port: Tells you what service the traffic is targeting. For example, Port ⁄443 is web traffic, while Port 3389 is Remote Desktop.
To find specific threats, use the Find tool (Ctrl + F) to search for suspicious IP addresses, or click any column header to sort the data instantly. Pro-Tip: Automate Threat Detection
If you see an unfamiliar external IP address constantly appearing as a “DROP” action, your system is likely being scanned by automated bots. You can right-click any line in FWLogView to instantly perform a WHOIS lookup. This will tell you exactly who owns the IP address and which country it is originating from, allowing you to create stricter blocking rules if necessary.
To help you get the most out of your new setup, let me know:
Are you setting this up for a single home PC or a corporate network?
Leave a Reply