The Splunk Technology Add-On for Windows Firewall provides extractions and CIM normalization for Windows Firewall Logs.
To activate logging of Windows Firewall events run the "Windows Firewall with Advanced Security" App or simply run WF.msc from command line.
- select "Windows Firewall properties"
- select "Customize..." in the "Logging" section
- define logfile location, logging settings (log dropped/allowed packets) and logfile size. It's recommended to increase the logfile size to the maximum possible (32MB).
As soon as configured the logfile will be created and look similar to this:
2016-08-31 10:47:42 ALLOW TCP 185.16.111.4 185.16.111.7 51171 10000 0 - 0 0 0 - - - SEND 2016-08-31 10:47:51 ALLOW UDP fe80::8182:6f65:d54f:3c64 ff02::1:2 546 547 0 - - - - - - - SEND 2016-08-31 10:47:51 ALLOW UDP fe80::4805:6c5e:a242:a171 ff02::1:2 546 547 0 - - - - - - - SEND 2016-08-31 10:47:52 DROP TCP 185.16.111.7 185.16.111.4 8089 51170 40 FA 2826662512 1602666708 63360 - - - RECEIVE 2016-08-31 10:48:06 ALLOW UDP fe80::8182:6f65:d54f:3c64 ff02::1:2 546 547 0 - - - - - - - SEND 2016-08-31 10:48:06 ALLOW UDP fe80::4805:6c5e:a242:a171 ff02::1:2 546 547 0 - - - - - - - SEND 2016-08-31 10:48:12 ALLOW TCP 185.16.111.4 185.16.111.7 51172 10000 0 - 0 0 0 - - - SEND
Download this TA and place it in etc/apps on your Searchhead and Universal Forwarders.
The default file input is deactivated by default. To collect data on the Forwarder make sure to create a local/inputs.conf file like this:
[monitor://C:\Windows\system32\LogFiles\Firewall\pfirewall.log] disabled = false sourcetype = winfw
Verify the data input and extraction works by searching for
sourcetype=winfw tag=network tag=communicate