Hello, I'm fairly new to Splunk and am trying to extract local Windows Firewall Logs so they can be automatically indexed by Splunk. Universal Forwarder is installed and I validated that Event Logs are being indexed. After some research, I found Technology Add-On for Windows Firewall. The instructions in the add-on were not clear, but I followed it to the best of my ability, extracting the contents of the add-on to C:\program files\splunkuniversalforwarder\etc\apps\TA-winfw-master (then several sub directories under that). I also modified the inputs.conf file under etc\system\local and it currently shows as this:
[default]
host = myserver
[monitor://C:\Windows\system32\LogFiles\Firewall\pfirewall.log]
disabled = false
sourcetype = winfw
The Windows Firewall is configured properly and I validated that logs are showing in the pfirewall.log.
I stopped/restarted the universal forwarder service but yet I am not getting the firewall logs yet, even after generating new traffic. I search for sourcetype=winfw and I get no results. I suspect that I'm missing something rather simple but I can't seem to figure it out.
Thank you in advance...
↧