Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Windows firewall logs not showing ample information

hassan1214
Loves-to-Learn
‎03-18-2024 12:06 AM

Hye !

I am trying to analyze Windoes firewall logs in splunk Enterprsie locally hosted . Follwings have ben done already:

  1. Logs are being ingested successfully to server
  2. Can view logs with details
  3. App TA-winfw already installed 

However its missing any IP realetd info like src ip , dst ip and protocol. However I can see these fileds in local file stored at "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"

But dont see any such values into splunk ingested log data . Need help and guidance if I am missing anything ?

Regards

 

 

Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎03-25-2024 05:53 PM

Hi @hassan1214, here's a few things to check to begin troubleshooting this issue:
-Are you running the search in Fast Mode? If so, try running it in Smart Mode.
-Are any of the winfw fields being extracted? Or only Splunk internal fields?
-Check for any parsing issues in the splunkd.log : 

index=_internal sourcetype=splunkd log_level!=INFO source=*splunkd.log *winfw*

 
The TA uses the following transforms.conf stanza to extract fields. Please check the content of your pfirewall.log matches this format:

DELIMS = " "
FIELDS = date,time,win_action,transport,src,dest,src_port,dest_port,size,tcp_flag,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,win_direction

 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top