https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108129#M7585 <P>Another interesting item of note, I don't see Transform_Windows_FW listed in the Splunk Web UI on the "Fields » Field transformations" page for the Windows app, yet all of the other items in that transforms.conf file listed in the brackets [] ARE listed. Huh.</P> Mon, 28 Sep 2020 15:01:47 GMT peterfilardo 2020-09-28T15:01:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108126#M7582 <P>We've been logging Windows Firewall activity to the default location on our 2008+ servers, and now, having Splunk, have been monitoring that file. The issue is, the data comes back in a rather unsavory view, each line looking roughly like this:</P> <PRE><CODE>2013-10-21 10:58:09 ALLOW TCP 10.200.0.13 10.138.65.9 60318 9997 0 - 0 0 0 - - - SEND </CODE></PRE> <P>I suppose my question is about field extraction/transforms, I see that in the last few lines of \Splunk\etc\apps\windows\default\transforms.conf include the following entry:</P> <PRE><CODE>###### Windows Firewall Log ###### [Transform_Windows_FW] DELIMS = " " FIELDS = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path" </CODE></PRE> <P>This looks very relevant to what I need. I have the Splunk for Windows/Spunk TA for Windows apps deployed to all forwarders/search heads/indexers, I must be missing something easy. Any ideas? Version 6.0 of all components, btw.</P> Mon, 21 Oct 2013 19:27:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108126#M7582 peterfilardo 2013-10-21T19:27:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108127#M7583 <P>The event looks normal. Are the fields listed in Transforms not showing up as fields on the left of the search screen?</P> Mon, 21 Oct 2013 19:38:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108127#M7583 lukejadamec 2013-10-21T19:38:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108128#M7584 <P>Sure, the text comes in exactly as it is in the log, verbatim. And sadly, no, they are not showing up as fields.</P> Mon, 21 Oct 2013 19:47:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108128#M7584 peterfilardo 2013-10-21T19:47:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108129#M7585 <P>Another interesting item of note, I don't see Transform_Windows_FW listed in the Splunk Web UI on the "Fields » Field transformations" page for the Windows app, yet all of the other items in that transforms.conf file listed in the brackets [] ARE listed. Huh.</P> Mon, 28 Sep 2020 15:01:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108129#M7585 peterfilardo 2020-09-28T15:01:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108130#M7586 <P>Try This:</P> <H6>Windows Firewall Log</H6> <PRE><CODE>[Transform_Windows_FW] DELIMS = "\s" FIELDS = date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path </CODE></PRE> <P>In the search bar, after you have saved this in the transforms.conf, put:</P> <P>some search | extract Transform_Windows_FW</P> <P>If that works then you can set it up to be automatic in the props.conf</P> Mon, 28 Sep 2020 15:02:00 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108130#M7586 ShaneNewman 2020-09-28T15:02:00Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108131#M7587 <P>Hey that search syntax works perfectly! Now I have to figure out which props.conf to edit...</P> Tue, 22 Oct 2013 16:03:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108131#M7587 peterfilardo 2013-10-22T16:03:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108132#M7588 <P>In the props.conf, create an entry with the name of your sourcetype in brackets</P> <P>[sourcetype]<BR /> EXTRACT-windows_firewall = Transform_Windows_FW</P> <P>Once you do this, go to the main URL add "/info"</P> <P>The second selection from the bottom is Reload EAI Objects, selecting that will reload all the configs without restarting the instance.</P> Mon, 28 Sep 2020 15:02:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108132#M7588 ShaneNewman 2020-09-28T15:02:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108133#M7589 <P>Did that work for you?</P> Thu, 24 Oct 2013 03:23:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108133#M7589 ShaneNewman 2013-10-24T03:23:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108134#M7590 <P>The DELIMS = "\s" does not work.<BR /> Changed it to DELIMS = " " and it worked for me.</P> Mon, 10 Mar 2014 17:11:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108134#M7590 aelliott 2014-03-10T17:11:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108135#M7591 <P>I gave this a shot, but didn't quite work. By default, the forwarder makes the "sourcetype" pfirewall. Assuming that, would it just be:<BR /> "[sourcetype]<BR /> EXTRACT-windows_firewall = Transform_Windows_FW"<BR /> ? <BR /> I don't understand where the "-windows_firewall" comes from, or what it relates to.<BR /> Also, the transform above works great, I am just trying to make it automagic using props.conf .</P> Tue, 29 Sep 2020 06:49:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108135#M7591 b_loveless 2020-09-29T06:49:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108136#M7592 <P>visited <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides">http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides</A> too, answered a few questions, I asked above... but still doesn't seem to work. </P> Wed, 29 Jul 2015 23:29:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108136#M7592 b_loveless 2015-07-29T23:29:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108137#M7593 <P>You need to use REPORT-windows_firewall not EXTRACT.</P> Mon, 28 Mar 2016 18:58:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Firewall-log-Extraction-Transforms/m-p/108137#M7593 delink 2016-03-28T18:58:17Z