Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Windows Firewall log file pfirewall.log

cmcknz77
New Member
‎04-14-2014 12:02 PM

Hello,
I'm very new to Splunk and trying to use it to gather local Windows Firewall Log file information. I thought I'd start by telling Splunk to index the Firewall Log file on the server itself (standard location C:\Windows\System32\Logfiles\Firewall\pfirewall.log) and am having difficulties. Although I have been able successfully to import the file for indexing it appears that Splunk is unaware of the field names associated with the file contents.

How do I tell Splunk to ignore the first 3 lines of the file?
How do I advise Splunk that the field names that should be associated with the data in lines 6 through 'n' are in Line 4 after the words '#Fields: ' ?
I'd like to be able to search on src-ip or dst-port etc

The top of the file looks like so (I've left in some example data):

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2014-04-13 22:51:26 DROP UDP 10.1.2.3 224.0.0.252 51632 5355 54 - - - - - - - RECEIVE 
2014-04-13 22:51:38 DROP UDP 10.1.4.8 10.1.255.255 138 138 237 - - - - - - - RECEIVE

I'm using Splunk 6.0.3 installed on a Windows Server 2008 R2 Core server

Any assistance/pointers/hints gratefully received.

Tags (2)
0 Karma
Reply

barakreeves
Splunk Employee
Splunk Employee
‎04-25-2014 07:37 AM

Welcome new Splunk user!!

This is very similar to IIS logs. This is what worked for me:

Note: Before making changes to your conf files, copy them to the local directory.

In your transforms.conf file:

[msfw-ignore-comments]
REGEX = ^#(?:Version|Software|Fields|Date):\s.*$
DEST_KEY = queue
FORMAT = nullQueue

In your props.conf:

[your-sourcetype]
KV_MODE = none
CHECK_FOR_HEADER = false
TRANSFORMS-commentsToNull = msfw-ignore-comments
TIME_FORMAT = %Y-%m-%d %H:%M:%S

Let us know if this works for you.

--Barak

Reply

hafizuddin
Path Finder
‎11-26-2017 08:36 PM

hi, it seem not work for me.
I can't search the source IP either dest ip

0 Karma
Reply

linu1988
Champion
‎04-14-2014 12:33 PM

index the files as it is.

Use the GUI field extraction. Then find out the parameters and calculate.

0 Karma
Reply

hafizuddin
Path Finder
‎11-22-2017 05:16 PM

hi, it seem not work for me.
By the way, could you tell me how to data input the pfirewall.log file to splunk and how to search the contain of file?
I used Splunk Enterprise 7.0 with windows server 2012r2

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...