The Splunk Technology Add-On for Windows Firewall provides extractions and CIM normalization for Windows Firewall Logs.
To activate logging of Windows Firewall events run the "Windows Firewall with Advanced Security" App or simply run WF.msc from command line.
Download this TA and place it in etc/apps on your Searchhead and Universal Forwarders.
The default file input is deactivated by default. To collect data on the Forwarder make sure to create a local/inputs.conf file like this:
[monitor://C:\Windows\system32\LogFiles\Firewall\pfirewall.log]
disabled = false
sourcetype = winfw
Verify the data input and extraction works by searching for
sourcetype=winfw tag=network tag=communicate
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.