Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Windows Firewall log file pfirewall.log

cmcknz77
New Member
‎04-14-2014 12:02 PM

Hello,
I'm very new to Splunk and trying to use it to gather local Windows Firewall Log file information. I thought I'd start by telling Splunk to index the Firewall Log file on the server itself (standard location C:\Windows\System32\Logfiles\Firewall\pfirewall.log) and am having difficulties. Although I have been able successfully to import the file for indexing it appears that Splunk is unaware of the field names associated with the file contents.

How do I tell Splunk to ignore the first 3 lines of the file?
How do I advise Splunk that the field names that should be associated with the data in lines 6 through 'n' are in Line 4 after the words '#Fields: ' ?
I'd like to be able to search on src-ip or dst-port etc

The top of the file looks like so (I've left in some example data):

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2014-04-13 22:51:26 DROP UDP 10.1.2.3 224.0.0.252 51632 5355 54 - - - - - - - RECEIVE 
2014-04-13 22:51:38 DROP UDP 10.1.4.8 10.1.255.255 138 138 237 - - - - - - - RECEIVE

I'm using Splunk 6.0.3 installed on a Windows Server 2008 R2 Core server

Any assistance/pointers/hints gratefully received.

Tags (2)
0 Karma
Reply

barakreeves
Splunk Employee
Splunk Employee
‎04-25-2014 07:37 AM

Welcome new Splunk user!!

This is very similar to IIS logs. This is what worked for me:

Note: Before making changes to your conf files, copy them to the local directory.

In your transforms.conf file:

[msfw-ignore-comments]
REGEX = ^#(?:Version|Software|Fields|Date):\s.*$
DEST_KEY = queue
FORMAT = nullQueue

In your props.conf:

[your-sourcetype]
KV_MODE = none
CHECK_FOR_HEADER = false
TRANSFORMS-commentsToNull = msfw-ignore-comments
TIME_FORMAT = %Y-%m-%d %H:%M:%S

Let us know if this works for you.

--Barak

Reply

hafizuddin
Path Finder
‎11-26-2017 08:36 PM

hi, it seem not work for me.
I can't search the source IP either dest ip

0 Karma
Reply

linu1988
Champion
‎04-14-2014 12:33 PM

index the files as it is.

Use the GUI field extraction. Then find out the parameters and calculate.

0 Karma
Reply

hafizuddin
Path Finder
‎11-22-2017 05:16 PM

hi, it seem not work for me.
By the way, could you tell me how to data input the pfirewall.log file to splunk and how to search the contain of file?
I used Splunk Enterprise 7.0 with windows server 2012r2

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...