Hello,
I'm very new to Splunk and trying to use it to gather local Windows Firewall Log file information. I thought I'd start by telling Splunk to index the Firewall Log file on the server itself (standard location C:\Windows\System32\Logfiles\Firewall\pfirewall.log) and am having difficulties. Although I have been able successfully to import the file for indexing it appears that Splunk is unaware of the field names associated with the file contents.
How do I tell Splunk to ignore the first 3 lines of the file?
How do I advise Splunk that the field names that should be associated with the data in lines 6 through 'n' are in Line 4 after the words '#Fields: ' ?
I'd like to be able to search on src-ip or dst-port etc
The top of the file looks like so (I've left in some example data):
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2014-04-13 22:51:26 DROP UDP 10.1.2.3 224.0.0.252 51632 5355 54 - - - - - - - RECEIVE
2014-04-13 22:51:38 DROP UDP 10.1.4.8 10.1.255.255 138 138 237 - - - - - - - RECEIVE
I'm using Splunk 6.0.3 installed on a Windows Server 2008 R2 Core server
Any assistance/pointers/hints gratefully received.
Welcome new Splunk user!!
This is very similar to IIS logs. This is what worked for me:
Note: Before making changes to your conf files, copy them to the local directory.
In your transforms.conf file:
[msfw-ignore-comments]
REGEX = ^#(?:Version|Software|Fields|Date):\s.*$
DEST_KEY = queue
FORMAT = nullQueue
In your props.conf:
[your-sourcetype]
KV_MODE = none
CHECK_FOR_HEADER = false
TRANSFORMS-commentsToNull = msfw-ignore-comments
TIME_FORMAT = %Y-%m-%d %H:%M:%S
Let us know if this works for you.
--Barak
hi, it seem not work for me.
I can't search the source IP either dest ip
index the files as it is.
Use the GUI field extraction. Then find out the parameters and calculate.
hi, it seem not work for me.
By the way, could you tell me how to data input the pfirewall.log file to splunk and how to search the contain of file?
I used Splunk Enterprise 7.0 with windows server 2012r2