How to Enable Firewall Logging in Batch Script

Modern Windows Firewall management is often like flying blind; you know a connection is working (or failing), but you can't see the "Engine Room" data. Firewall Logging provides the transparency needed for high-level network diagnostics. It records the date, time, protocol, source IP, and destination IP of every packet that crosses the firewall boundary. Whether you are debugging a new software installation or investigating a potential security breach, having a persistent text-based log is the only way to prove exactly what the firewall is doing. A Batch script can instantly enable these logs across all network profiles and configure the log file size to prevent system bloat.

This guide will explain how to set up and customize the Windows Firewall logs.

Method 1: Enabling Global Logging (Standard)

This method activates logging for both Dropped packets (security) and Success packets (debugging) for all network profiles.

@echo off
setlocal

set "TargetDir=C:\FirewallLogs"
set "LogFile=%TargetDir%\firewall.log"
set "SetupFailed=0"

echo [ACTION] Initializing Firewall Audit Logs...

:: 1. Create directory if it doesn't exist
if not exist "%TargetDir%" mkdir "%TargetDir%"

:: 2. Set the Log Configuration
:: - filename = where to save
:: - maxfilesize = size in KB (4096 = 4MB)
:: - droppedconnections = enable/disable
:: - allowedconnections = enable/disable
netsh advfirewall set allprofiles logging filename "%LogFile%"
if %errorlevel% neq 0 set "SetupFailed=1"

netsh advfirewall set allprofiles logging maxfilesize 4096
if %errorlevel% neq 0 set "SetupFailed=1"

netsh advfirewall set allprofiles logging droppedconnections enable
if %errorlevel% neq 0 set "SetupFailed=1"

netsh advfirewall set allprofiles logging allowedconnections enable
if %errorlevel% neq 0 set "SetupFailed=1"

if "%SetupFailed%"=="0" (
    echo [SUCCESS] Logging is now ACTIVE.
    echo Log Path: %LogFile%
) else (
    echo [ERROR] One or more logging commands failed.
    echo         Ensure you are running as ADMIN.
)

pause
endlocal

warning

Resource Usage. Logging "Allowed Connections" creates a massive amount of data. Turn it on for short-term testing only, and turn it off (disable) as soon as you're done.

Method 2: The "Stealth Audit" (Dropped Only)

If you only care about security (who is trying to attack you), disable "Allowed" logging and only keep "Dropped" logging.

@echo off
echo [HARDENING] Enabling security-only firewall logging...

netsh advfirewall set allprofiles logging droppedconnections enable
if %errorlevel% neq 0 (
    echo [ERROR] Failed to enable dropped connection logging.
    pause
    exit /b 1
)

netsh advfirewall set allprofiles logging allowedconnections disable
if %errorlevel% neq 0 (
    echo [ERROR] Failed to disable allowed connection logging.
    pause
    exit /b 1
)

echo [OK] ONLY blocked connections will be recorded.
pause

Method 3: Resetting Log Configuration

If the log file is corrupted or taking up too much space, you can reset the logging settings to their default "Off" state.

@echo off
echo [ACTION] Disabling and resetting firewall logs...

netsh advfirewall set allprofiles logging droppedconnections disable
netsh advfirewall set allprofiles logging allowedconnections disable
netsh advfirewall set allprofiles logging filename "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"

if %errorlevel% equ 0 (
    echo [DONE] Logging has been restored to default state.
) else (
    echo [ERROR] Failed to reset logging. Ensure you are running as ADMIN.
)

pause

How to Avoid Common Errors

Wrong Way: Pointing the log to a "Protected" user folder

If you try to save the log to C:\Users\Admin\Desktop, the Firewall Service (which runs as a System account) will not have "Write" permission, and no log will be created.

Correct Way: Use a generic system folder like C:\FirewallLogs and grant the "SYSTEM" account "Full Control" in the security tab.

Problem: Log Bloat

If your maxfilesize is too high, a busy server can fill up the entire hard drive with text logs of simple web traffic.

Solution: Use a conservative maxfilesize (like 4096 or 8192 KB). Windows will automatically overwrite the oldest data when the limit is reached, maintaining a "Rolling" log.

Best Practices and Rules

1. Identify the Column Format

Opening the log file (usually pfirewall.log) requires a text editor. The first few lines explain the structure: date time action protocol src-ip dst-ip src-port dst-port. Print this "Legend" out if you are giving the log to a junior admin.

2. Administrator Elevation

You cannot modify firewall logging settings without Administrator rights.

3. Check for "Probing"

In your log, look for patterns of different "Destination Ports" coming from the same "Source IP." This is a classic Port Scan. Use this data to help you create specific "BLOCK" rules later.

Conclusions

Enabling firewall logging via Batch script provides a professional-grade window into your network's activity. By moving from "Guesswork" to "Evidence," you empower yourself to solve connectivity problems faster and detect security threats before they escalate. This data-driven approach is essential for maintaining a high standard of network integrity and system transparency in any Windows environment.

Method 1: Enabling Global Logging (Standard)​

Method 2: The "Stealth Audit" (Dropped Only)​

Method 3: Resetting Log Configuration​

How to Avoid Common Errors​

Wrong Way: Pointing the log to a "Protected" user folder​

Problem: Log Bloat​

Best Practices and Rules​

1. Identify the Column Format​

2. Administrator Elevation​

3. Check for "Probing"​

Conclusions​

Table of Contents