this week I had the problem on a Windows Server 2008 R2 system that I had to recognize if a network connection to specific closed TCP port is tried to established.
The Windows firewall on the machine is running but logs only packets to the firewall logfile for tcp and udp ports an which a process is listen to. Also the parsing of the logfile is frequently necessary.
A better way is to enable the firewall audit option “Filtering Platform Packet Drop”. This generates an EventLog entry with EventID 5152 for each incoming packet which is dropped. Windows provides the abiltiy to trigger an schedule task after an eventlog entry is written and pass some event details as parameter to a script defined in the task. Unfortunataly not with the GUI.
Continue reading Windows: Passing parameters to event triggered schedule tasks