Colleagues, hello!
Trying to "accept" Windows Firewall logs on vRealize Log Insight. And for some reason he does not perceive these logs at all, does not want to parse. In vRealize Log Insight, all log lines go as one text field!
The config is as follows:
[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
[parser|myparser]
base_parser = csv
fields = timestamp,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"timestamp": "tsp_parser"}
debug=yes
[parser|tsp_parser]
base_parser=timestamp
format=%Y-%m-%d %H:%M:%S
An example of a log:
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 39982 53 0 - - - - - - - RECEIVE
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 35643 53 0 - - - - - - - RECEIVE
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 50551 53 0 - - - - - - - RECEIVE
what did I do wrong ?