We've been logging Windows Firewall activity to the default location on our 2008+ servers, and now, having Splunk, have been monitoring that file. The issue is, the data comes back in a rather unsavory view, each line looking roughly like this:
2013-10-21 10:58:09 ALLOW TCP 10.200.0.13 10.138.65.9 60318 9997 0 - 0 0 0 - - - SEND
I suppose my question is about field extraction/transforms, I see that in the last few lines of \Splunk\etc\apps\windows\default\transforms.conf include the following entry:
###### Windows Firewall Log ######
[Transform_Windows_FW]
DELIMS = " "
FIELDS = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path"
This looks very relevant to what I need. I have the Splunk for Windows/Spunk TA for Windows apps deployed to all forwarders/search heads/indexers, I must be missing something easy. Any ideas? Version 6.0 of all components, btw.
... View more