Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Windows firewall logs not showing ample information

hassan1214
Loves-to-Learn
‎03-18-2024 12:06 AM

Hye !

I am trying to analyze Windoes firewall logs in splunk Enterprsie locally hosted . Follwings have ben done already:

  1. Logs are being ingested successfully to server
  2. Can view logs with details
  3. App TA-winfw already installed 

However its missing any IP realetd info like src ip , dst ip and protocol. However I can see these fileds in local file stored at "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"

But dont see any such values into splunk ingested log data . Need help and guidance if I am missing anything ?

Regards

 

 

Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎03-25-2024 05:53 PM

Hi @hassan1214, here's a few things to check to begin troubleshooting this issue:
-Are you running the search in Fast Mode? If so, try running it in Smart Mode.
-Are any of the winfw fields being extracted? Or only Splunk internal fields?
-Check for any parsing issues in the splunkd.log : 

index=_internal sourcetype=splunkd log_level!=INFO source=*splunkd.log *winfw*

 
The TA uses the following transforms.conf stanza to extract fields. Please check the content of your pfirewall.log matches this format:

DELIMS = " "
FIELDS = date,time,win_action,transport,src,dest,src_port,dest_port,size,tcp_flag,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,win_direction

 

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top