topic Re: Syslog Field Extractions in All Apps and Add-ons

Syslog Field Extractions

shawngarrettsgp — Thu, 18 Apr 2019 16:21:13 GMT

So given that netscaler 12.1 should work, I have events coming in from 4 netscalers via syslog and I named the sourcetype=citrix:netscaler:syslog which I believe is correct upon review of the default props.conf. Fields do not appear to be extracting for the sourcetype, is this an issue with rsyslog setup perhaps the way the timestamps or is there something I'm missing?

Apr 17 16:04:23 netscaler01.somelan.local  04/17/2019:16:04:17   0-PPE-0 : default TCP CONN_DELINK 11964927 0 :  Source 192.168.20.7:64151 - Vserver 192.168.20.4:443 - NatIP 192.168.20.2:49222 - Destination 192.168.20.5:443 - Delink Time 04/17/2019:16:04:17  - Total_bytes_send 0 - Total_bytes_recv 2683

Apr 17 16:04:22 netscaler01.somelan.local  04/17/2019:16:04:16   0-PPE-0 : default TCP CONN_TERMINATE 11964913 0 :  Source 192.168.20.6:80 - Destination 192.168.20.3:35760 - Start Time 04/17/2019:16:03:32  - End Time 04/17/2019:16:04:16  - Total_bytes_send 428 - Total_bytes_recv 377

Re: Syslog Field Extractions

luongg — Wed, 09 Oct 2019 16:20:52 GMT

I'm running into the same exact problem. By any chance, did you ever find a resolution to this issue?

Re: Syslog Field Extractions

wmyersas — Thu, 17 Oct 2019 19:44:29 GMT

do you have a copy of the props.conf in question handy?

Re: Syslog Field Extractions

shawngarrettsgp — Thu, 17 Oct 2019 20:27:21 GMT

nope, ran out of forks

Re: Syslog Field Extractions

shawngarrettsgp — Wed, 30 Sep 2020 02:39:18 GMT

https://splunkbase.splunk.com/app/4366/

I'm just using the default
Splunk_TA_citrix_netscaler_Enosys/default/props.conf

cat Splunk_TA_citrix_netscaler_Enosys/default/app.conf | grep -i version

This Add-on version 1.1 works only when Citrix Netscaler syslog is forwarded to Splunk SIEM via Splunk Heavy Forwarder, Splunk Enterprise or Splunk Cloud.

version = 1.1

clip of the sourcetype
[citrix:netscaler:syslog]
KV_MODE=none
SHOULD_LINEMERGE = false

REPORT-citrix_netscaler_syslog = citrix_netscaler_syslog,netscaler_syslog_quoted_fields,netscaler_syslog_unquoted_fields
EXTRACT-1-syslog_event_name = \s+[\d\/]{10}(:\d{2}){3}\s+\w{3}\s+\S+\s+\S+\s+:([^:]+)?\s+\w+\s+(?\w+)\s+\d+\s+0\s+:\s+.+

EVAL-bytes = Total_bytes_recv+Total_bytes_send
EVAL-dest_ip = mvindex(split(Destination,":"),0)
EVAL-dest_port = mvindex(split(Destination,":"),1)
EVAL-src_ip = mvindex(split(Source,":"),0)
EVAL-src_port = mvindex(split(Source,":"),1)
EVAL-vendor = "Citrix Systems"
FIELDALIAS-cim_builder = event_source AS app User AS user Total_bytes_recv AS bytes_in Total_bytes_send AS bytes_out ns_name AS dvc
EVAL-dest = if(isnull(Destination),if(match(event_name,".CONNSTAT$"),Remote_ip,if(match(event_name,"^LOG(IN|OUT)."),host,mvindex(split(Destination,":"),0))),mvindex(split(Destination,":"),0))
EVAL-duration = (strptime(Duration,"%H:%M:%S")-strptime("00:00:00","%H:%M:%S"))*1000
EVAL-src = if(isnull(Source),Client_ip,mvindex(split(Source,":"),0))
FIELDALIAS-device_serial_number_chassis = device_serial_number AS chassis
EVAL-action = case(match(event_name,".*CONNSTAT$"), "allowed", match(event_name,"^LOG(IN|OUT)$"), "success", match(event_name,"LOGIN_FAILED"), "failure")

Re: Syslog Field Extractions

wmyersas — Thu, 17 Oct 2019 20:39:07 GMT

a little weird that here's no TIMESTAMP definition in there - especially when the time seems to show up more than once in the event line

Re: Syslog Field Extractions

sandeepmakkena — Thu, 17 Oct 2019 22:44:20 GMT

https://answers.splunk.com/answers/6573/alternative-ways-to-assigning-sourcetype.html

I found a similar question answered, please take a look at the above link.

Hope this helps, Thanks!

Re: Syslog Field Extractions

edhealea — Tue, 12 Nov 2019 22:28:14 GMT

I am using rsyslog to read in my netscaler events.
I have inputs.conf set up to read in all of my rsyslog events and set the sourcetype for each.
This is my Netscaler code in my local/inputs.conf

Netscaler

[monitor:///opt/syslog/netscaler//.log]
sourcetype=citrix:netscaler:syslog
index=network
host_segment=4
disabled=false

Then I use a local/props.conf to establish the time and the local/transfroms to extract the netscaler hostname.
From there the rest of the fields are extracted by the netscaler add-on.

If you want to try this route, I can work you up a time and hostname extract based on your log example.