All Apps and Add-ons
Highlighted

Windows Firewall log - Extraction/Transforms?

Explorer

We've been logging Windows Firewall activity to the default location on our 2008+ servers, and now, having Splunk, have been monitoring that file. The issue is, the data comes back in a rather unsavory view, each line looking roughly like this:

2013-10-21 10:58:09 ALLOW TCP 10.200.0.13 10.138.65.9 60318 9997 0 - 0 0 0 - - - SEND

I suppose my question is about field extraction/transforms, I see that in the last few lines of \Splunk\etc\apps\windows\default\transforms.conf include the following entry:

###### Windows Firewall Log ######
[Transform_Windows_FW]

DELIMS = " "

FIELDS  = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path"

This looks very relevant to what I need. I have the Splunk for Windows/Spunk TA for Windows apps deployed to all forwarders/search heads/indexers, I must be missing something easy. Any ideas? Version 6.0 of all components, btw.

Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Super Champion

The event looks normal. Are the fields listed in Transforms not showing up as fields on the left of the search screen?

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Explorer

Sure, the text comes in exactly as it is in the log, verbatim. And sadly, no, they are not showing up as fields.

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Explorer

Another interesting item of note, I don't see TransformWindowsFW listed in the Splunk Web UI on the "Fields » Field transformations" page for the Windows app, yet all of the other items in that transforms.conf file listed in the brackets [] ARE listed. Huh.

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Motivator

Try This:

Windows Firewall Log
[Transform_Windows_FW]
DELIMS = "\s"
FIELDS  = date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path

In the search bar, after you have saved this in the transforms.conf, put:

some search | extract TransformWindowsFW

If that works then you can set it up to be automatic in the props.conf

Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Explorer

Hey that search syntax works perfectly! Now I have to figure out which props.conf to edit...

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Motivator

In the props.conf, create an entry with the name of your sourcetype in brackets

[sourcetype]
EXTRACT-windowsfirewall = TransformWindows_FW

Once you do this, go to the main URL add "/info"

The second selection from the bottom is Reload EAI Objects, selecting that will reload all the configs without restarting the instance.

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Engager

I gave this a shot, but didn't quite work. By default, the forwarder makes the "sourcetype" pfirewall. Assuming that, would it just be:
"[sourcetype]
EXTRACT-windowsfirewall = TransformWindowsFW"
?
I don't understand where the "-windows
firewall" comes from, or what it relates to.
Also, the transform above works great, I am just trying to make it automagic using props.conf .

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Engager

visited http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides too, answered a few questions, I asked above... but still doesn't seem to work.

0 Karma
Highlighted

Re: Windows Firewall log - Extraction/Transforms?

Communicator

You need to use REPORT-windows_firewall not EXTRACT.

0 Karma