We've been logging Windows Firewall activity to the default location on our 2008+ servers, and now, having Splunk, have been monitoring that file. The issue is, the data comes back in a rather unsavory view, each line looking roughly like this:
2013-10-21 10:58:09 ALLOW TCP 10.200.0.13 10.138.65.9 60318 9997 0 - 0 0 0 - - - SEND
I suppose my question is about field extraction/transforms, I see that in the last few lines of \Splunk\etc\apps\windows\default\transforms.conf include the following entry:
###### Windows Firewall Log ######
[Transform_Windows_FW]
DELIMS = " "
FIELDS = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path"
This looks very relevant to what I need. I have the Splunk for Windows/Spunk TA for Windows apps deployed to all forwarders/search heads/indexers, I must be missing something easy. Any ideas? Version 6.0 of all components, btw.
Try This:
[Transform_Windows_FW]
DELIMS = "\s"
FIELDS = date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
In the search bar, after you have saved this in the transforms.conf, put:
some search | extract Transform_Windows_FW
If that works then you can set it up to be automatic in the props.conf
The DELIMS = "\s" does not work.
Changed it to DELIMS = " " and it worked for me.
Did that work for you?
In the props.conf, create an entry with the name of your sourcetype in brackets
[sourcetype]
EXTRACT-windows_firewall = Transform_Windows_FW
Once you do this, go to the main URL add "/info"
The second selection from the bottom is Reload EAI Objects, selecting that will reload all the configs without restarting the instance.
You need to use REPORT-windows_firewall not EXTRACT.
I gave this a shot, but didn't quite work. By default, the forwarder makes the "sourcetype" pfirewall. Assuming that, would it just be:
"[sourcetype]
EXTRACT-windows_firewall = Transform_Windows_FW"
?
I don't understand where the "-windows_firewall" comes from, or what it relates to.
Also, the transform above works great, I am just trying to make it automagic using props.conf .
visited http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides too, answered a few questions, I asked above... but still doesn't seem to work.
Hey that search syntax works perfectly! Now I have to figure out which props.conf to edit...
Another interesting item of note, I don't see Transform_Windows_FW listed in the Splunk Web UI on the "Fields » Field transformations" page for the Windows app, yet all of the other items in that transforms.conf file listed in the brackets [] ARE listed. Huh.
Sure, the text comes in exactly as it is in the log, verbatim. And sadly, no, they are not showing up as fields.
The event looks normal. Are the fields listed in Transforms not showing up as fields on the left of the search screen?