<#
.SYNOPSIS
Windows Firewall Log Prometheus Metrics Exporter
.DESCRIPTION
Prometheus exporter for Windows Firewall log activity -- parses the
pfirewall.log file and exports metrics about firewall events including
allowed/dropped connections, top blocked ports, top blocked source IPs,
and log file statistics. Exports metrics as Prometheus-compatible text
format for windows_exporter textfile collector.
.PARAMETER LogFile
Path to Windows Firewall log file
(default: C:\Windows\System32\LogFiles\Firewall\pfirewall.log)
.PARAMETER LookbackMinutes
Only parse log entries from the last N minutes (default: 5)
.PARAMETER TopN
Number of top source IPs and ports to report (default: 10)
.PARAMETER Mode
Output mode: 'stdout' (default), 'textfile', or 'http'
.PARAMETER Port
HTTP port for http mode (default: 9196)
.PARAMETER TextfileDir
Directory for textfile collector output (default: C:\ProgramData\node_exporter)
.PARAMETER InstallScheduledTask
Switch to create a scheduled task for auto-start on system boot
.PARAMETER TaskIntervalMinutes
Interval in minutes for the scheduled task (default: 5)
.NOTES
Author: Phil Connor
Contact: contact@mylinux.work
Website: https://mylinux.work
License: MIT
Version: 1.0
Metrics Exported:
Core Status:
- windows_firewall_log_up
- windows_firewall_log_exporter_info{version}
Event Counts:
- windows_firewall_log_events_total{action,protocol,direction}
- windows_firewall_log_dropped_total
- windows_firewall_log_allowed_total
Top N Breakdowns:
- windows_firewall_log_dropped_by_port_total{port,protocol}
- windows_firewall_log_dropped_by_source_total{source_ip}
- windows_firewall_log_unique_source_ips
Log File:
- windows_firewall_log_file_size_bytes
- windows_firewall_log_file_lines_total
Exporter:
- windows_firewall_log_exporter_duration_seconds
- windows_firewall_log_exporter_last_run_timestamp
#>
param(
[string]$LogFile = "$env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log",
[int]$LookbackMinutes = 5,
[int]$TopN = 10,
[ValidateSet('stdout', 'textfile', 'http')]
[string]$Mode = 'stdout',
[int]$Port = 9196,
[string]$TextfileDir = 'C:\ProgramData\node_exporter',
[switch]$InstallScheduledTask,
[int]$TaskIntervalMinutes = 5
)
# Create a scheduled task to run this script every $TaskIntervalMinutes minutes
# The task will run as SYSTEM and will be set to run at startup
if ($InstallScheduledTask) {
$taskName = "WindowsFirewallLogExporter"
$existingTask = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if (-not $existingTask) {
$taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`" -Mode textfile"
if (-not $TaskIntervalMinutes -or $TaskIntervalMinutes -le 0) {
throw "TaskIntervalMinutes must be a positive integer"
}
$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes $TaskIntervalMinutes) -RepetitionDuration (New-TimeSpan -Days 365)
$taskPrincipal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
try {
Write-Host "Creating scheduled task: $taskName"
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Principal $taskPrincipal -Description "Exports Windows Firewall log metrics for Prometheus every $TaskIntervalMinutes minutes"
$createdTask = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if (-not $createdTask) {
throw "Failed to verify scheduled task creation"
}
Write-Host "Successfully created scheduled task: $taskName" -ForegroundColor Green
} catch {
Write-Error "Failed to create scheduled task: $($_.Exception.Message)"
throw
}
} else {
Write-Host "Scheduled task '$taskName' already exists, skipping creation"
}
}
$ErrorActionPreference = 'SilentlyContinue'
# ============================================================================
# HELPER FUNCTIONS
# ============================================================================
function Get-UnixTimestamp {
[int][double]::Parse((Get-Date -UFormat '%s'))
}
function Format-MetricValue {
param([double]$Value, [int]$Decimals = 2)
[math]::Round($Value, $Decimals)
}
# ============================================================================
# FIREWALL LOG PARSING
# ============================================================================
function Get-FirewallLogMetrics {
$sb = [System.Text.StringBuilder]::new()
# pfirewall.log format (space-delimited):
# date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
if (-not (Test-Path $LogFile)) {
return $sb.ToString()
}
$cutoff = (Get-Date).AddMinutes(-$LookbackMinutes)
$lines = @()
try {
$rawLines = Get-Content -Path $LogFile -Tail 50000 -ErrorAction Stop
} catch {
return $sb.ToString()
}
# Parse and filter lines within lookback window
$parsedEvents = @()
$totalLinesParsed = 0
foreach ($line in $rawLines) {
# Skip comment lines
if ($line.StartsWith('#')) { continue }
$fields = $line -split '\s+'
if ($fields.Count -lt 8) { continue }
# Parse date and time from first two fields
try {
$entryTime = [datetime]::ParseExact("$($fields[0]) $($fields[1])", 'yyyy-MM-dd HH:mm:ss', $null)
} catch {
continue
}
if ($entryTime -lt $cutoff) { continue }
$totalLinesParsed++
$parsedEvents += [PSCustomObject]@{
Action = $fields[2].ToUpper()
Protocol = $fields[3].ToUpper()
SrcIP = $fields[4]
DstIP = $fields[5]
SrcPort = $fields[6]
DstPort = $fields[7]
Direction = if ($fields.Count -ge 17) { $fields[16].ToUpper() } else { 'UNKNOWN' }
}
}
# --- windows_firewall_log_events_total ---
[void]$sb.AppendLine('# HELP windows_firewall_log_events_total Total firewall log events by action, protocol, and direction')
[void]$sb.AppendLine('# TYPE windows_firewall_log_events_total gauge')
$eventGroups = $parsedEvents | Group-Object -Property Action, Protocol, Direction
foreach ($group in $eventGroups) {
$parts = $group.Name -split ', '
$action = $parts[0]
$protocol = $parts[1]
$direction = $parts[2]
[void]$sb.AppendLine("windows_firewall_log_events_total{action=`"$action`",protocol=`"$protocol`",direction=`"$direction`"} $($group.Count)")
}
[void]$sb.AppendLine('')
# --- windows_firewall_log_dropped_total ---
$droppedEvents = @($parsedEvents | Where-Object { $_.Action -eq 'DROP' })
$droppedTotal = $droppedEvents.Count
[void]$sb.AppendLine('# HELP windows_firewall_log_dropped_total Total dropped events in lookback window')
[void]$sb.AppendLine('# TYPE windows_firewall_log_dropped_total gauge')
[void]$sb.AppendLine("windows_firewall_log_dropped_total $droppedTotal")
[void]$sb.AppendLine('')
# --- windows_firewall_log_allowed_total ---
$allowedEvents = @($parsedEvents | Where-Object { $_.Action -eq 'ALLOW' })
$allowedTotal = $allowedEvents.Count
[void]$sb.AppendLine('# HELP windows_firewall_log_allowed_total Total allowed events in lookback window')
[void]$sb.AppendLine('# TYPE windows_firewall_log_allowed_total gauge')
[void]$sb.AppendLine("windows_firewall_log_allowed_total $allowedTotal")
[void]$sb.AppendLine('')
# --- windows_firewall_log_dropped_by_port_total ---
[void]$sb.AppendLine('# HELP windows_firewall_log_dropped_by_port_total Dropped events by destination port (top N)')
[void]$sb.AppendLine('# TYPE windows_firewall_log_dropped_by_port_total gauge')
$portGroups = $droppedEvents |
Where-Object { $_.DstPort -ne '-' } |
Group-Object -Property DstPort, Protocol |
Sort-Object Count -Descending |
Select-Object -First $TopN
foreach ($group in $portGroups) {
$parts = $group.Name -split ', '
$port = $parts[0]
$protocol = $parts[1]
[void]$sb.AppendLine("windows_firewall_log_dropped_by_port_total{port=`"$port`",protocol=`"$protocol`"} $($group.Count)")
}
[void]$sb.AppendLine('')
# --- windows_firewall_log_dropped_by_source_total ---
[void]$sb.AppendLine('# HELP windows_firewall_log_dropped_by_source_total Dropped events by source IP (top N)')
[void]$sb.AppendLine('# TYPE windows_firewall_log_dropped_by_source_total gauge')
$sourceGroups = $droppedEvents |
Group-Object -Property SrcIP |
Sort-Object Count -Descending |
Select-Object -First $TopN
foreach ($group in $sourceGroups) {
[void]$sb.AppendLine("windows_firewall_log_dropped_by_source_total{source_ip=`"$($group.Name)`"} $($group.Count)")
}
[void]$sb.AppendLine('')
# --- windows_firewall_log_unique_source_ips ---
$uniqueSourceIPs = ($droppedEvents | Select-Object -ExpandProperty SrcIP -Unique).Count
[void]$sb.AppendLine('# HELP windows_firewall_log_unique_source_ips Count of unique source IPs in dropped events')
[void]$sb.AppendLine('# TYPE windows_firewall_log_unique_source_ips gauge')
[void]$sb.AppendLine("windows_firewall_log_unique_source_ips $uniqueSourceIPs")
[void]$sb.AppendLine('')
# --- windows_firewall_log_file_size_bytes ---
$fileSize = (Get-Item -Path $LogFile -ErrorAction SilentlyContinue).Length
if (-not $fileSize) { $fileSize = 0 }
[void]$sb.AppendLine('# HELP windows_firewall_log_file_size_bytes Size of the firewall log file in bytes')
[void]$sb.AppendLine('# TYPE windows_firewall_log_file_size_bytes gauge')
[void]$sb.AppendLine("windows_firewall_log_file_size_bytes $fileSize")
[void]$sb.AppendLine('')
# --- windows_firewall_log_file_lines_total ---
[void]$sb.AppendLine('# HELP windows_firewall_log_file_lines_total Total lines parsed in lookback window')
[void]$sb.AppendLine('# TYPE windows_firewall_log_file_lines_total gauge')
[void]$sb.AppendLine("windows_firewall_log_file_lines_total $totalLinesParsed")
[void]$sb.AppendLine('')
$sb.ToString()
}
# ============================================================================
# COLLECT ALL METRICS
# ============================================================================
function Get-AllMetrics {
$scriptStart = Get-Date
$sb = [System.Text.StringBuilder]::new()
try {
if (-not (Test-Path $LogFile)) {
# Log file not found -- exporter is down
[void]$sb.AppendLine('# HELP windows_firewall_log_up Exporter status (1=up, 0=down)')
[void]$sb.AppendLine('# TYPE windows_firewall_log_up gauge')
[void]$sb.AppendLine('windows_firewall_log_up 0')
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_info Exporter version information')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_info gauge')
[void]$sb.AppendLine('windows_firewall_log_exporter_info{version="1.0"} 1')
[void]$sb.AppendLine('')
$scriptEnd = Get-Date
$duration = Format-MetricValue ($scriptEnd - $scriptStart).TotalSeconds
$timestamp = Get-UnixTimestamp
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_duration_seconds Time to generate all metrics')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_duration_seconds gauge')
[void]$sb.AppendLine("windows_firewall_log_exporter_duration_seconds $duration")
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_last_run_timestamp Unix timestamp of last successful run')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_last_run_timestamp gauge')
[void]$sb.AppendLine("windows_firewall_log_exporter_last_run_timestamp $timestamp")
[void]$sb.AppendLine('')
return $sb.ToString()
}
# Exporter up
[void]$sb.AppendLine('# HELP windows_firewall_log_up Exporter status (1=up, 0=down)')
[void]$sb.AppendLine('# TYPE windows_firewall_log_up gauge')
[void]$sb.AppendLine('windows_firewall_log_up 1')
[void]$sb.AppendLine('')
# Exporter info
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_info Exporter version information')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_info gauge')
[void]$sb.AppendLine('windows_firewall_log_exporter_info{version="1.0"} 1')
[void]$sb.AppendLine('')
# Collect firewall log metrics
[void]$sb.Append((Get-FirewallLogMetrics))
# Exporter runtime
$scriptEnd = Get-Date
$duration = Format-MetricValue ($scriptEnd - $scriptStart).TotalSeconds
$timestamp = Get-UnixTimestamp
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_duration_seconds Time to generate all metrics')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_duration_seconds gauge')
[void]$sb.AppendLine("windows_firewall_log_exporter_duration_seconds $duration")
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_last_run_timestamp Unix timestamp of last successful run')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_last_run_timestamp gauge')
[void]$sb.AppendLine("windows_firewall_log_exporter_last_run_timestamp $timestamp")
[void]$sb.AppendLine('')
}
catch {
# On any error, return up=0 with basic info
$sb = [System.Text.StringBuilder]::new()
[void]$sb.AppendLine('# HELP windows_firewall_log_up Exporter status (1=up, 0=down)')
[void]$sb.AppendLine('# TYPE windows_firewall_log_up gauge')
[void]$sb.AppendLine('windows_firewall_log_up 0')
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_info Exporter version information')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_info gauge')
[void]$sb.AppendLine('windows_firewall_log_exporter_info{version="1.0"} 1')
[void]$sb.AppendLine('')
$timestamp = Get-UnixTimestamp
[void]$sb.AppendLine('# HELP windows_firewall_log_exporter_last_run_timestamp Unix timestamp of last successful run')
[void]$sb.AppendLine('# TYPE windows_firewall_log_exporter_last_run_timestamp gauge')
[void]$sb.AppendLine("windows_firewall_log_exporter_last_run_timestamp $timestamp")
[void]$sb.AppendLine('')
}
$sb.ToString()
}
# ============================================================================
# HTTP SERVER MODE
# ============================================================================
function Start-HttpServer {
param([int]$ListenPort)
$prefix = "http://+:$ListenPort/"
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add($prefix)
try {
$listener.Start()
Write-Host "Starting Windows Firewall log exporter on port $ListenPort..." -ForegroundColor Green
Write-Host "Metrics available at http://localhost:$ListenPort/metrics"
while ($listener.IsListening) {
$context = $listener.GetContext()
$request = $context.Request
$response = $context.Response
if ($request.Url.AbsolutePath -eq '/metrics') {
$metrics = Get-AllMetrics
$buffer = [System.Text.Encoding]::UTF8.GetBytes($metrics)
$response.ContentType = 'text/plain; version=0.0.4; charset=utf-8'
}
else {
$html = @"
Windows Firewall Log Exporter v1.0
Windows Firewall Log Exporter v1.0
Metrics
Metrics
- Firewall events by action, protocol, and direction
- Total dropped and allowed events
- Top dropped destination ports
- Top dropped source IPs
- Unique source IPs in dropped events
- Log file size and parsed line count
- Exporter runtime and timestamp
"@
$buffer = [System.Text.Encoding]::UTF8.GetBytes($html)
$response.ContentType = 'text/html; charset=utf-8'
}
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer, 0, $buffer.Length)
$response.OutputStream.Close()
}
}
catch {
Write-Error "HTTP server error: $_"
Write-Error "If access denied, run: netsh http add urlacl url=http://+:$ListenPort/ user=Everyone"
}
finally {
if ($listener.IsListening) {
$listener.Stop()
}
}
}
# ============================================================================
# MAIN EXECUTION
# ============================================================================
switch ($Mode) {
'http' {
Start-HttpServer -ListenPort $Port
}
'textfile' {
$OutputFile = Join-Path $TextfileDir 'windows_firewall_log.prom'
$outputDir = Split-Path $OutputFile -Parent
if (-not (Test-Path $outputDir)) {
New-Item -Path $outputDir -ItemType Directory -Force | Out-Null
}
$tempFile = Join-Path $outputDir ".windows_firewall_log_metrics.$PID.tmp"
try {
$metrics = Get-AllMetrics
$metrics | Out-File -FilePath $tempFile -Encoding utf8 -NoNewline
$lineCount = ($metrics -split "`n").Count
if ($lineCount -lt 10) {
Remove-Item -Path $tempFile -Force -ErrorAction SilentlyContinue
Write-Error "Metrics file too small ($lineCount lines), keeping previous"
exit 1
}
Move-Item -Path $tempFile -Destination $OutputFile -Force
Write-Host "Metrics written to $OutputFile ($lineCount lines)" -ForegroundColor Green
}
catch {
Remove-Item -Path $tempFile -Force -ErrorAction SilentlyContinue
Write-Error "Failed to generate metrics: $_"
exit 1
}
}
default {
Get-AllMetrics | Write-Output
}
}