Technology Add-On for Windows Firewall

The Splunk Technology Add-On for Windows Firewall provides extractions and CIM normalization for Windows Firewall Logs.

Activation of Firewall Logging in Windows

To activate logging of Windows Firewall events run the "Windows Firewall with Advanced Security" App or simply run WF.msc from command line.

• select "Windows Firewall properties"
• select "Customize..." in the "Logging" section
• define logfile location, logging settings (log dropped/allowed packets) and logfile size. It's recommended to increase the logfile size to the maximum possible (32MB).

As soon as configured the logfile will be created and look similar to this:

2016-08-31 10:47:42 ALLOW TCP 185.16.111.4 185.16.111.7 51171 10000 0 - 0 0 0 - - - SEND
2016-08-31 10:47:51 ALLOW UDP fe80::8182:6f65:d54f:3c64 ff02::1:2 546 547 0 - - - - - - - SEND
2016-08-31 10:47:51 ALLOW UDP fe80::4805:6c5e:a242:a171 ff02::1:2 546 547 0 - - - - - - - SEND
2016-08-31 10:47:52 DROP TCP 185.16.111.7 185.16.111.4 8089 51170 40 FA 2826662512 1602666708 63360 - - - RECEIVE
2016-08-31 10:48:06 ALLOW UDP fe80::8182:6f65:d54f:3c64 ff02::1:2 546 547 0 - - - - - - - SEND
2016-08-31 10:48:06 ALLOW UDP fe80::4805:6c5e:a242:a171 ff02::1:2 546 547 0 - - - - - - - SEND
2016-08-31 10:48:12 ALLOW TCP 185.16.111.4 185.16.111.7 51172 10000 0 - 0 0 0 - - - SEND

Installation and Deployment of TA-winfw

Download this TA and place it in etc/apps on your Searchhead and Universal Forwarders.

The default file input is deactivated by default. To collect data on the Forwarder make sure to create a local/inputs.conf file like this:

[monitor://C:\Windows\system32\LogFiles\Firewall\pfirewall.log]
disabled = false
sourcetype = winfw

Verify the data input and extraction works by searching for

sourcetype=winfw tag=network tag=communicate