Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Windows firewall logs not showing ample information

hassan1214
Loves-to-Learn
‎03-18-2024 12:06 AM

Hye !

I am trying to analyze Windoes firewall logs in splunk Enterprsie locally hosted . Follwings have ben done already:

  1. Logs are being ingested successfully to server
  2. Can view logs with details
  3. App TA-winfw already installed 

However its missing any IP realetd info like src ip , dst ip and protocol. However I can see these fileds in local file stored at "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"

But dont see any such values into splunk ingested log data . Need help and guidance if I am missing anything ?

Regards

 

 

Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎03-25-2024 05:53 PM

Hi @hassan1214, here's a few things to check to begin troubleshooting this issue:
-Are you running the search in Fast Mode? If so, try running it in Smart Mode.
-Are any of the winfw fields being extracted? Or only Splunk internal fields?
-Check for any parsing issues in the splunkd.log : 

index=_internal sourcetype=splunkd log_level!=INFO source=*splunkd.log *winfw*

 
The TA uses the following transforms.conf stanza to extract fields. Please check the content of your pfirewall.log matches this format:

DELIMS = " "
FIELDS = date,time,win_action,transport,src,dest,src_port,dest_port,size,tcp_flag,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,win_direction

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top