topic Re: Splunk Windows Firewall log file pfirewall.log in Getting Data In

Splunk Windows Firewall log file pfirewall.log

cmcknz77 — Mon, 14 Apr 2014 19:02:23 GMT

Hello,
I'm very new to Splunk and trying to use it to gather local Windows Firewall Log file information. I thought I'd start by telling Splunk to index the Firewall Log file on the server itself (standard location C:\Windows\System32\Logfiles\Firewall\pfirewall.log) and am having difficulties. Although I have been able successfully to import the file for indexing it appears that Splunk is unaware of the field names associated with the file contents.

How do I tell Splunk to ignore the first 3 lines of the file?
How do I advise Splunk that the field names that should be associated with the data in lines 6 through 'n' are in Line 4 after the words '#Fields: ' ?
I'd like to be able to search on src-ip or dst-port etc

The top of the file looks like so (I've left in some example data):

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2014-04-13 22:51:26 DROP UDP 10.1.2.3 224.0.0.252 51632 5355 54 - - - - - - - RECEIVE 
2014-04-13 22:51:38 DROP UDP 10.1.4.8 10.1.255.255 138 138 237 - - - - - - - RECEIVE

I'm using Splunk 6.0.3 installed on a Windows Server 2008 R2 Core server

Any assistance/pointers/hints gratefully received.

Re: Splunk Windows Firewall log file pfirewall.log

linu1988 — Mon, 14 Apr 2014 19:33:34 GMT

index the files as it is.

Use the GUI field extraction. Then find out the parameters and calculate.

Re: Splunk Windows Firewall log file pfirewall.log

barakreeves — Mon, 28 Sep 2020 16:28:34 GMT

Welcome new Splunk user!!

This is very similar to IIS logs. This is what worked for me:

Note: Before making changes to your conf files, copy them to the local directory.

In your transforms.conf file:
[msfw-ignore-comments] REGEX = ^#(?:Version|Software|Fields|Date):\s.*$ DEST_KEY = queue FORMAT = nullQueue

In your props.conf:
[your-sourcetype] KV_MODE = none CHECK_FOR_HEADER = false TRANSFORMS-commentsToNull = msfw-ignore-comments TIME_FORMAT = %Y-%m-%d %H:%M:%S

Let us know if this works for you.

--Barak

Re: Splunk Windows Firewall log file pfirewall.log

hafizuddin — Thu, 23 Nov 2017 01:16:44 GMT

hi, it seem not work for me.
By the way, could you tell me how to data input the pfirewall.log file to splunk and how to search the contain of file?
I used Splunk Enterprise 7.0 with windows server 2012r2

Re: Splunk Windows Firewall log file pfirewall.log

hafizuddin — Mon, 27 Nov 2017 04:36:18 GMT

hi, it seem not work for me.
I can't search the source IP either dest ip