- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried your version with 17 fields:
[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2}
[parser|myparser]
base_parser = csv
fields = logdate, logtime,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"logdate": "date_parser"}
field_decoder={"logtime": "time_parser"}
debug=no
[parser|date_parser]
base_parser=timestamp
format=%Y-%m-%d
[parser|time_parser]
base_parser=timestamp
format=%H:%M:%SRestarting agents. The problem hasn't changed in any way
Output