Hello,
I'm very new to Splunk and trying to use it to gather local Windows Firewall Log file information. I thought I'd start by telling Splunk to index the Firewall Log file on the server itself (standard location C:\Windows\System32\Logfiles\Firewall\pfirewall.log) and am having difficulties. Although I have been able successfully to import the file for indexing it appears that Splunk is unaware of the field names associated with the file contents.
How do I tell Splunk to ignore the first 3 lines of the file?
How do I advise Splunk that the field names that should be associated with the data in lines 6 through 'n' are in Line 4 after the words '#Fields: ' ?
I'd like to be able to search on src-ip or dst-port etc
The top of the file looks like so (I've left in some example data):
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2014-04-13 22:51:26 DROP UDP 10.1.2.3 224.0.0.252 51632 5355 54 - - - - - - - RECEIVE
2014-04-13 22:51:38 DROP UDP 10.1.4.8 10.1.255.255 138 138 237 - - - - - - - RECEIVE
I'm using Splunk 6.0.3 installed on a Windows Server 2008 R2 Core server
Any assistance/pointers/hints gratefully received.
... View more