VMware Cloud Community
drogozinskiy
Contributor
Contributor
‎05-11-2021 06:21 AM
Jump to solution

Windows Firewall Parsing

Colleagues, hello!
Trying to "accept" Windows Firewall logs on vRealize Log Insight. And for some reason he does not perceive these logs at all, does not want to parse. In vRealize Log Insight, all log lines go as one text field!
The config is as follows:

 

[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

[parser|myparser]
base_parser = csv
fields = timestamp,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"timestamp": "tsp_parser"}
debug=yes

[parser|tsp_parser]
base_parser=timestamp            
format=%Y-%m-%d %H:%M:%S

 

 

An example of a log:
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 39982 53 0 - - - - - - - RECEIVE
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 35643 53 0 - - - - - - - RECEIVE
2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 50551 53 0 - - - - - - - RECEIVE

what did I do wrong ?

 
 

 

 

 
 

 

 

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
Cederberg
Enthusiast
Enthusiast
‎05-17-2021 12:36 AM
Jump to solution

Ok thats a bit wierd.

I don't know if it matters or if its a typo but you have a space before field Logtime.
You can try enabling the debug mode and the log files on the agent will probably tell you whats wrong. but remember to turn it off afterwards as it can generate much logs. The log file is located  here C:\ProgramData\VMware\Log Insight Agent\log on the agent server and called liagent_Date.log

This is the config i'm using. I have tried to make the fields unique with a prefix WinFW_. I don't really know if that matters.other than that it seems to be the same as yours except for the timestamp parser.

[filelog|WindowsFirewallLogFile]
directory=C:\Windows\System32\LogFiles\Firewall
include=*.log
parser=WinFWLogParser
tags={"label":"windows_firewall_logfile"}

[parser|WinFWLogParser]
base_parser=csv
fields=WinFW_Date,WinFW_Time,WinFW_action,WinFW_protocol,WinFW_srcip,WinFW_dstip,WinFW_srcport,WinFW_dstport,WinFW_size,WinFW_tcpflags,WinFW_tcpsyn,WinFW_tcpack,WinFW_tcpwin,WinFW_icmptype,WinFW_icmpcode,WinFW_info,WinFW_path
delimiter=" "
debug=no

View solution in original post

Reply
0 Kudos
4 Replies
Cederberg
Enthusiast
Enthusiast
‎05-16-2021 11:33 PM
Jump to solution

Hi.

With the csv parser it's very important to have the right amount of fields specified. I think the problem is that there is a space between the date and the time so the csv parser sees two fields wich makes it a total of 17 fields and you have only specified 16. Timestamp should be 2 fields Date and Time

If you want timestamp to be one field i guess you need to use another parser.

Regards
//Cederberg

Reply
0 Kudos
drogozinskiy
Contributor
Contributor
‎05-17-2021 12:06 AM
Jump to solution

I tried your version with 17 fields:

[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2}

[parser|myparser]
base_parser = csv
fields = logdate, logtime,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"logdate": "date_parser"}
field_decoder={"logtime": "time_parser"}
debug=no

[parser|date_parser]
base_parser=timestamp            
format=%Y-%m-%d
[parser|time_parser]
base_parser=timestamp            
format=%H:%M:%S

Restarting agents. The problem hasn't changed in any way

OutputOutput

Reply
0 Kudos
Cederberg
Enthusiast
Enthusiast
‎05-17-2021 12:36 AM
Jump to solution

Ok thats a bit wierd.

I don't know if it matters or if its a typo but you have a space before field Logtime.
You can try enabling the debug mode and the log files on the agent will probably tell you whats wrong. but remember to turn it off afterwards as it can generate much logs. The log file is located  here C:\ProgramData\VMware\Log Insight Agent\log on the agent server and called liagent_Date.log

This is the config i'm using. I have tried to make the fields unique with a prefix WinFW_. I don't really know if that matters.other than that it seems to be the same as yours except for the timestamp parser.

[filelog|WindowsFirewallLogFile]
directory=C:\Windows\System32\LogFiles\Firewall
include=*.log
parser=WinFWLogParser
tags={"label":"windows_firewall_logfile"}

[parser|WinFWLogParser]
base_parser=csv
fields=WinFW_Date,WinFW_Time,WinFW_action,WinFW_protocol,WinFW_srcip,WinFW_dstip,WinFW_srcport,WinFW_dstport,WinFW_size,WinFW_tcpflags,WinFW_tcpsyn,WinFW_tcpack,WinFW_tcpwin,WinFW_icmptype,WinFW_icmpcode,WinFW_info,WinFW_path
delimiter=" "
debug=no

Reply
0 Kudos
drogozinskiy
Contributor
Contributor
‎05-17-2021 10:33 PM
Jump to solution

Yes !!! Your config works.

I compared two configs - they both seem to be similar. the path with a backslash is in my config  and the separator as a special character in my config only. Live and learn

Reply
0 Kudos