Friday, July 31, 2015

Splunkin' the Windows Firewall Log automagically

Splunk and Windows Firewall logging, gettin' the fields out.

I spent a a bit of time trying to figure out how to get SPLUNK to parse out our Window Firewall logs.  I found several sites explaining how it should work.
I was able to get Transforms working by using the site .

For example, after feeding the logs into Splunk with a simple file monitor and forwarder, I would enter: " sourcetype=pfirewall | extract Transform_Windows_FW " and it would parse out the fields.

 I wanted this to happen automagically, so I tried the second part of the link above, where you edit the props.conf file.... fail.  So long story short, I edited the props.conf file to contain:

EXTRACT-date,time,action,protocol,src_ip,dst_ip,src_port,dst_port,size,info = ^(?P<date>[^ ]+)\s+(?P<time>[^ ]+)\s+(?P<action>[^ ]+)\s+(?P<protocol>\w+)[^ \n]* (?P<src_ip>[^ ]+)\s+(?P<dst_ip>[^ ]+)\s+(?P<src_port>[^ ]+)\s+(?P<dst_port>[^ ]+)\s+(?P<size>[^ ]+)(?:[^ \n]* ){8}(?P<info>\w+)

and added it to my search head.  Tested with IPv6 and it seems to work fine.
(Technically a co-worker tried this as I was trying other things, so he gets the credit)

p.s. You must edit the C:\Program Files\Splunk\etc\system\local\props.conf file, not the one in the default folder, or you might mess up some default functionality of Splunk.


  1. We use splunk on ou 200 Cisco switches. Pretty cool data a mine!

  2. excellent piece of information, I had come to know about your website from my friend kishore, pune,i have read atleast 8 posts of yours by now, and let me tell you, your site gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a lot once again, Regards,splunk training in hyderabad