We've been logging Windows Firewall activity to the default location on our 2008+ servers, and now, having Splunk, have been monitoring that file. The issue is, the data comes back in a rather unsavory view, each line looking roughly like this:
2013-10-21 10:58:09 ALLOW TCP 10.200.0.13 10.138.65.9 60318 9997 0 - 0 0 0 - - - SEND
I suppose my question is about field extraction/transforms, I see that in the last few lines of \Splunk\etc\apps\windows\default\transforms.conf include the following entry:
###### Windows Firewall Log ###### [Transform_Windows_FW] DELIMS = " " FIELDS = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path"
This looks very relevant to what I need. I have the Splunk for Windows/Spunk TA for Windows apps deployed to all forwarders/search heads/indexers, I must be missing something easy. Any ideas? Version 6.0 of all components, btw.
[Transform_Windows_FW] DELIMS = "\s" FIELDS = date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
In the search bar, after you have saved this in the transforms.conf, put:
some search | extract Transform_Windows_FW
If that works then you can set it up to be automatic in the props.conf
In the props.conf, create an entry with the name of your sourcetype in brackets
EXTRACT-windows_firewall = Transform_Windows_FW
Once you do this, go to the main URL add "/info"
The second selection from the bottom is Reload EAI Objects, selecting that will reload all the configs without restarting the instance.
I gave this a shot, but didn't quite work. By default, the forwarder makes the "sourcetype" pfirewall. Assuming that, would it just be:
EXTRACT-windows_firewall = Transform_Windows_FW"
I don't understand where the "-windows_firewall" comes from, or what it relates to.
Also, the transform above works great, I am just trying to make it automagic using props.conf .
Another interesting item of note, I don't see Transform_Windows_FW listed in the Splunk Web UI on the "Fields » Field transformations" page for the Windows app, yet all of the other items in that transforms.conf file listed in the brackets  ARE listed. Huh.