Issue with Windows firewall logs not showing ample...

hassan1214 · ‎03-18-2024

Hye !

I am trying to analyze Windoes firewall logs in splunk Enterprsie locally hosted . Follwings have ben done already:

Logs are being ingested successfully to server
Can view logs with details
App TA-winfw already installed

However its missing any IP realetd info like src ip , dst ip and protocol. However I can see these fileds in local file stored at "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"

But dont see any such values into splunk ingested log data . Need help and guidance if I am missing anything ?

Regards

KendallW · ‎03-25-2024

Hi @hassan1214, here's a few things to check to begin troubleshooting this issue:
-Are you running the search in Fast Mode? If so, try running it in Smart Mode.
-Are any of the winfw fields being extracted? Or only Splunk internal fields?
-Check for any parsing issues in the splunkd.log :

index=_internal sourcetype=splunkd log_level!=INFO source=*splunkd.log *winfw*

The TA uses the following transforms.conf stanza to extract fields. Please check the content of your pfirewall.log matches this format:

DELIMS = " "
FIELDS = date,time,win_action,transport,src,dest,src_port,dest_port,size,tcp_flag,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,win_direction

Issue with Windows firewall logs not showing ample information

Windows

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...