Reply to Message

View discussion in a popup

Replying to:
drogozinskiy
Contributor
Contributor

I tried your version with 17 fields:

[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2}

[parser|myparser]
base_parser = csv
fields = logdate, logtime,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"logdate": "date_parser"}
field_decoder={"logtime": "time_parser"}
debug=no

[parser|date_parser]
base_parser=timestamp            
format=%Y-%m-%d
[parser|time_parser]
base_parser=timestamp            
format=%H:%M:%S

Restarting agents. The problem hasn't changed in any way

OutputOutput

Reply
0 Kudos