windows-firewall-logs Log Parser

Installation

cscli parsers install crowdsecurity/windows-firewall-logs

Description

A parser for windows firewall logs.

This only handles logs that contains both DROP and RECEIVE to avoid false positives for outgoing traffic or logging for successful connections.

You need to enable logging for dropped packets (off by default): https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log

Format is:

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path pid
2022-01-31 12:24:51 DROP TCP 192.168.9.163 192.168.9.212 63619 445 64 S 1031365855 0 65535 - - - RECEIVE 4

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'windows-firewall' and evt.Parsed.message contains ' DROP TCP ' and evt.Parsed.message contains ' RECEIVE'"
3name: crowdsecurity/windows-firewall-logs
4description: "Parse windows firewall drop logs"
5grok:
6  pattern: "%{TIMESTAMP_ISO8601:date} DROP TCP %{IP:src_ip} %{IP:dst_ip} %{INT:src_port} %{INT:dst_port} %{INT:size} %{WORD:flags} %{INT:tcpsyn} %{INT:tcpack} %{INT:window} - - - RECEIVE( %{INT:pid})?" 
7  apply_on: message
8statics:
9    - meta: service
10      value: tcp
11    - meta: log_type
12      value: iptables_drop
13    - meta: source_ip
14      expression: "evt.Parsed.src_ip"
15    - target: evt.StrTime
16      expression: evt.Parsed.date
17
18

Hub configuration

« windows-firewall-logs »
v0.3 by crowdsecurity
Log parser

Hub configuration

« windows-firewall-logs »v0.3 by crowdsecurityLog parser

« windows-firewall-logs »
v0.3 by crowdsecurity
Log parser