drogozinskiy
Contributor
Contributor

Windows Firewall Parsing

Colleagues, hello!
Trying to "accept" Windows Firewall logs on vRealize Log Insight. And for some reason he does not perceive these logs at all, does not want to parse. In vRealize Log Insight, all log lines go as one text field!
The config is as follows:

 

[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

[parser|myparser]
base_parser = csv
fields = timestamp,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"timestamp": "tsp_parser"}
debug=yes

[parser|tsp_parser]
base_parser=timestamp            
format=%Y-%m-%d %H:%M:%S

 

 

An example of a log:
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 39982 53 0 - - - - - - - RECEIVE
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 35643 53 0 - - - - - - - RECEIVE
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 50551 53 0 - - - - - - - RECEIVE

what did I do wrong ?

 
 

 

 

 
 

 

 

Tags (2)
Reply
0 Kudos