Ship Windows Firewall Logs to Elasticsearch using Elastic-Agent Custom Logs Integration
Send Windows Firewall Logs to Elasticsearch using an Elastic-Agent with a Custom Logs integration
Assumptions:
- Elastic-Agent is installed and enrolled on source computer
- Firewall log is at default path
- Non-specified attributes/fields in various components are left as default
Example Environment:
- Client:
- Windows Server 2016
- Elastic-Agent: v8.13.4
- Server:
- Custom Logs integration: v2.3.1
- Elasticsearch: v8.13.4
Step 1: Add "Custom Logs" integration to desired Agent Policy
| Policy Attribute | Value |
|---|---|
| Namespace | default |
| Log file path | C:\Windows\System32\LogFiles\Firewall\pfirewall.log |
| Dataset Name | logs-windows_firewall |
| Processors | pipeline: logs-windows_firewall-default |
2. Create Ingest Pipeline
- Name: "logs-windows_firewall-default"
- Add "Dissect" processor
- Field: "message"
-
Pattern:
3. Tag: "windows-firewall"%{windows_firewall.date} %{windows_firewall.time} %{windows_firewall.action} %{windows_firewall.protocol} %{windows_firewall.src-ip} %{windows_firewall.dst-ip} %{windows_firewall.src-port} %{windows_firewall.dst-port} %{windows_firewall.size} %{windows_firewall.tcpflags} %{windows_firewall.tcpsyn} %{windows_firewall.tcpack} %{windows_firewall.tcpwin} %{windows_firewall.icmptype} %{windows_firewall.icmpcode} %{windows_firewall.info} %{windows_firewall.path}
3. Create Index Template
- Management -> Index Management -> Index Templates -> New
- Name: "logs-windows_firewall-template"
- Index patterns: "logs-windows_firewall-*"
- Create data stream: enabled
- Component Templates: none
- Index settings: none
- Mappings: Add field for each part of the Ingest Pipeline "Pattern"
- "windows_fireawll.date": Date
- "windows_firewall.action": Text
- "windows_fireawll.dst-port": Integer
- "windows_fireawll.dst-ip": IP
- "windows_fireawll.icmpcode": Integer
- etc...
-
Aliases: None
Full API Request to create Index Template:
PUT _index_template/logs-windows_firewall-template { "template": { "mappings": { "_source": { "excludes": [], "includes": [], "enabled": true }, "_routing": { "required": false }, "dynamic": true, "numeric_detection": false, "date_detection": true, "dynamic_date_formats": [ "strict_date_optional_time", "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z" ], "dynamic_templates": [], "properties": { "windows_firewall.action": { "type": "text" }, "windows_firewall.date": { "type": "date" }, "windows_firewall.dst-port": { "type": "integer", "index": true, "ignore_malformed": false, "coerce": true, "doc_values": true, "store": false }, "windows_firewall.dst-ip": { "index": true, "store": false, "type": "ip", "doc_values": true }, "windows_firewall.icmpcode": { "type": "integer" }, "windows_firewall.icmptype": { "type": "text" }, "windows_firewall.info": { "type": "text" }, "windows_firewall.path": { "type": "text" }, "windows_firewall.protocol": { "type": "constant_keyword" }, "windows_firewall.size": { "type": "byte" }, "windows_firewall.src-ip": { "index": true, "store": false, "type": "ip", "doc_values": true }, "windows_firewall.src-port": { "type": "integer" }, "windows_firewall.tcpack": { "type": "text" }, "windows_firewall.tcpflags": { "type": "text" }, "windows_firewall.tcpsyn": { "type": "text" }, "windows_firewall.tcpwin": { "type": "text" }, "windows_firewall.time": { "format": "strict_date_optional_time||epoch_millis||basic_time", "index": true, "ignore_malformed": false, "store": false, "type": "date", "doc_values": true } } } }, "index_patterns": [ "logs-windows_firewall-*" ], "data_stream": { "hidden": false, "allow_custom_routing": false } }