<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Windows Firewall Parsing in VMware Aria Operations for Logs Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847404#M2707</link>
    <description>&lt;P&gt;Hi.&lt;/P&gt;&lt;P&gt;With the csv parser it's very important to have the right amount of fields specified. I think the problem is that there is a space between the date and the time so the csv parser sees two fields wich makes it a total of 17 fields and you have only specified 16. Timestamp should be 2 fields Date and Time&lt;/P&gt;&lt;P&gt;If you want timestamp to be one field i guess you need to use another parser.&lt;/P&gt;&lt;P&gt;Regards&lt;BR /&gt;//Cederberg&lt;/P&gt;</description>
    <pubDate>Mon, 17 May 2021 06:33:50 GMT</pubDate>
    <dc:creator>Cederberg</dc:creator>
    <dc:date>2021-05-17T06:33:50Z</dc:date>
    <item>
      <title>Windows Firewall Parsing</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2846575#M2706</link>
      <description>&lt;P&gt;Colleagues, hello!&lt;BR /&gt;Trying to "accept" Windows Firewall logs on vRealize Log Insight. And for some reason he does not perceive these logs at all, does not want to parse. In vRealize Log Insight, all log lines go as one text field!&lt;BR /&gt;The config is as follows:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

[parser|myparser]
base_parser = csv
fields = timestamp,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"timestamp": "tsp_parser"}
debug=yes

[parser|tsp_parser]
base_parser=timestamp            
format=%Y-%m-%d %H:%M:%S&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;An example of a log:&lt;BR /&gt;2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 39982 53 0 - - - - - - - RECEIVE&lt;BR /&gt;2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 35643 53 0 - - - - - - - RECEIVE&lt;BR /&gt;2021-05-09 21:59:46 ALLOW UDP 192.168.94.119 192.168.94.101 50551 53 0 - - - - - - - RECEIVE&lt;BR /&gt;&lt;BR /&gt;what did I do wrong ?&lt;/P&gt;&lt;DIV&gt;&lt;DIV&gt;&lt;DIV class="simple-translate-button isShow"&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class="simple-translate-panel "&gt;&lt;DIV class="simple-translate-result-wrapper"&gt;&lt;DIV class="simple-translate-move"&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class="simple-translate-result-contents"&gt;&lt;P class="simple-translate-result"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="simple-translate-candidate"&gt;&amp;nbsp;&lt;/P&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;DIV&gt;&lt;DIV class="simple-translate-button isShow"&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class="simple-translate-panel "&gt;&lt;DIV class="simple-translate-result-wrapper"&gt;&lt;DIV class="simple-translate-move"&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class="simple-translate-result-contents"&gt;&lt;P class="simple-translate-result"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="simple-translate-candidate"&gt;&amp;nbsp;&lt;/P&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;</description>
      <pubDate>Tue, 11 May 2021 13:21:03 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2846575#M2706</guid>
      <dc:creator>drogozinskiy</dc:creator>
      <dc:date>2021-05-11T13:21:03Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Firewall Parsing</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847404#M2707</link>
      <description>&lt;P&gt;Hi.&lt;/P&gt;&lt;P&gt;With the csv parser it's very important to have the right amount of fields specified. I think the problem is that there is a space between the date and the time so the csv parser sees two fields wich makes it a total of 17 fields and you have only specified 16. Timestamp should be 2 fields Date and Time&lt;/P&gt;&lt;P&gt;If you want timestamp to be one field i guess you need to use another parser.&lt;/P&gt;&lt;P&gt;Regards&lt;BR /&gt;//Cederberg&lt;/P&gt;</description>
      <pubDate>Mon, 17 May 2021 06:33:50 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847404#M2707</guid>
      <dc:creator>Cederberg</dc:creator>
      <dc:date>2021-05-17T06:33:50Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Firewall Parsing</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847411#M2708</link>
      <description>&lt;P&gt;I tried your version with 17 fields:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[filelog|Microsoft_Windows_Firewall]
directory=C:\Windows\System32\LogFiles\Firewall\
include=pfirewall.log
enabled=yes
parser=myparser
tags={"ms_product":"pfirewall"}
event_marker=^\d{4}-\d{2}-\d{2}

[parser|myparser]
base_parser = csv
fields = logdate, logtime,action,protocol,src-ip,dst-ip,src-port,dst-port,size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,path
delimiter="\s"
field_decoder={"logdate": "date_parser"}
field_decoder={"logtime": "time_parser"}
debug=no

[parser|date_parser]
base_parser=timestamp            
format=%Y-%m-%d
[parser|time_parser]
base_parser=timestamp            
format=%H:%M:%S&lt;/LI-CODE&gt;&lt;P&gt;Restarting agents. The problem hasn't changed in any way&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Output" style="width: 999px;"&gt;&lt;img src="https://communities.vmware.com/t5/image/serverpage/image-id/88849iFAA5CA025135624D/image-size/large/is-moderation-mode/true?v=v2&amp;amp;px=999" role="button" title="2021-05-17_13-00-52.png" alt="Output" /&gt;&lt;span class="lia-inline-image-caption" onclick="event.preventDefault();"&gt;Output&lt;/span&gt;&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 17 May 2021 07:06:16 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847411#M2708</guid>
      <dc:creator>drogozinskiy</dc:creator>
      <dc:date>2021-05-17T07:06:16Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Firewall Parsing</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847414#M2709</link>
      <description>&lt;P&gt;Ok thats a bit wierd.&lt;/P&gt;&lt;P&gt;I don't know if it matters or if its a typo but you have a space before field Logtime.&lt;BR /&gt;You can try enabling the debug mode and the log files on the agent will probably tell you whats wrong. but remember to turn it off afterwards as it can generate much logs. The log file is located&amp;nbsp; here C:\ProgramData\VMware\Log Insight Agent\log on the agent server and called liagent_Date.log&lt;/P&gt;&lt;P&gt;This is the config i'm using. I have tried to make the fields unique with a prefix WinFW_. I don't really know if that matters.other than that it seems to be the same as yours except for the timestamp parser.&lt;/P&gt;&lt;P&gt;[filelog|WindowsFirewallLogFile]&lt;BR /&gt;directory=C:\Windows\System32\LogFiles\Firewall&lt;BR /&gt;include=*.log&lt;BR /&gt;parser=WinFWLogParser&lt;BR /&gt;tags={"label":"windows_firewall_logfile"}&lt;/P&gt;&lt;P&gt;[parser|WinFWLogParser]&lt;BR /&gt;base_parser=csv&lt;BR /&gt;fields=WinFW_Date,WinFW_Time,WinFW_action,WinFW_protocol,WinFW_srcip,WinFW_dstip,WinFW_srcport,WinFW_dstport,WinFW_size,WinFW_tcpflags,WinFW_tcpsyn,WinFW_tcpack,WinFW_tcpwin,WinFW_icmptype,WinFW_icmpcode,WinFW_info,WinFW_path&lt;BR /&gt;delimiter=" "&lt;BR /&gt;debug=no&lt;/P&gt;</description>
      <pubDate>Mon, 17 May 2021 07:36:23 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847414#M2709</guid>
      <dc:creator>Cederberg</dc:creator>
      <dc:date>2021-05-17T07:36:23Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Firewall Parsing</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847614#M2711</link>
      <description>&lt;P&gt;Yes !!! Your config works.&lt;/P&gt;&lt;P&gt;I compared two configs - they both seem to be similar. the path with a backslash is in my config&amp;nbsp; and the separator as a special character in my config only. Live and learn&lt;/P&gt;</description>
      <pubDate>Tue, 18 May 2021 05:35:34 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Windows-Firewall-Parsing/m-p/2847614#M2711</guid>
      <dc:creator>drogozinskiy</dc:creator>
      <dc:date>2021-05-18T05:35:34Z</dc:date>
    </item>
  </channel>
</rss>

