Windows Firewall log

peterfilardo · ‎10-21-2013

We've been logging Windows Firewall activity to the default location on our 2008+ servers, and now, having Splunk, have been monitoring that file. The issue is, the data comes back in a rather unsavory view, each line looking roughly like this:

2013-10-21 10:58:09 ALLOW TCP 10.200.0.13 10.138.65.9 60318 9997 0 - 0 0 0 - - - SEND

I suppose my question is about field extraction/transforms, I see that in the last few lines of \Splunk\etc\apps\windows\default\transforms.conf include the following entry:

###### Windows Firewall Log ######
[Transform_Windows_FW]

DELIMS = " "

FIELDS  = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path"

This looks very relevant to what I need. I have the Splunk for Windows/Spunk TA for Windows apps deployed to all forwarders/search heads/indexers, I must be missing something easy. Any ideas? Version 6.0 of all components, btw.

ShaneNewman · ‎10-21-2013

Try This:

[Transform_Windows_FW]
DELIMS = "\s"
FIELDS  = date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path

In the search bar, after you have saved this in the transforms.conf, put:

some search | extract Transform_Windows_FW

If that works then you can set it up to be automatic in the props.conf

aelliott · ‎03-10-2014

The DELIMS = "\s" does not work.
Changed it to DELIMS = " " and it worked for me.

ShaneNewman · ‎10-23-2013

Did that work for you?

ShaneNewman · ‎10-22-2013

In the props.conf, create an entry with the name of your sourcetype in brackets

[sourcetype]
EXTRACT-windows_firewall = Transform_Windows_FW

Once you do this, go to the main URL add "/info"

The second selection from the bottom is Reload EAI Objects, selecting that will reload all the configs without restarting the instance.

delink · ‎03-28-2016

You need to use REPORT-windows_firewall not EXTRACT.

b_loveless · ‎07-29-2015

I gave this a shot, but didn't quite work. By default, the forwarder makes the "sourcetype" pfirewall. Assuming that, would it just be:
"[sourcetype]
EXTRACT-windows_firewall = Transform_Windows_FW"
?
I don't understand where the "-windows_firewall" comes from, or what it relates to.
Also, the transform above works great, I am just trying to make it automagic using props.conf .

b_loveless · ‎07-29-2015

visited http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides too, answered a few questions, I asked above... but still doesn't seem to work.

peterfilardo · ‎10-22-2013

Hey that search syntax works perfectly! Now I have to figure out which props.conf to edit...

peterfilardo · ‎10-21-2013

Another interesting item of note, I don't see Transform_Windows_FW listed in the Splunk Web UI on the "Fields » Field transformations" page for the Windows app, yet all of the other items in that transforms.conf file listed in the brackets [] ARE listed. Huh.

peterfilardo · ‎10-21-2013

Sure, the text comes in exactly as it is in the log, verbatim. And sadly, no, they are not showing up as fields.

lukejadamec · ‎10-21-2013

The event looks normal. Are the fields listed in Transforms not showing up as fields on the left of the search screen?

Windows Firewall log - Extraction/Transforms?

Windows Firewall Log

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!