I am using the Splunk for Citrix NetScaler app, with somewhat mixed success. It seems that Citrix has changed some of their message formats over the versions. While I'm monitoring a NetScaler version that the Splunk app nominally supports, it mis-parses some of the messages.

I've tried to disable the transform that is mis-parsing the messages, and replace it with ones that match the messages, but the old one is still being used.

The app comes with a default transform for app firewall log messages. From splunk/etc/apps/SplunkforCitrixNetScaler/default/transforms.conf:

[ns_firewall_extract]
REGEX = APPFW\sAPPFW_(\S+)\s\d+\s+:\s+(\S+)\s(\S+)\s(\S+)\s(\S+)\s(.*)<(.*)\>
FORMAT = violation::$1 src_ip::$2 session_id::$3 profile::$4 url::$5 msg::$6 action::$7

I've written two transforms that match what the NetScaler is actually sending, and disabled the non-functioning one. From splunk/etc/apps/SplunkforCitrixNetScaler/local/transforms.conf:

[ns_firewall_extract]
disabled = 1
FORMAT = violation::$1 src_ip::$2 session_id::$3 profile::$4 url::$5 msg::$6 action::$7
REGEX = APPFW\sAPPFW_(\S+)\s\d+\s+:\s+(\S+)\s(\S+)\s(\S+)\s(\S+)\s(.*)<(.*)\>

[ns_firewall_extract_1]
CLEAN_KEYS = 1
FORMAT = violation::$1 src_ip::$2 profile::$3 msg::$4 url::$5 action::$6
MV_ADD = 0
REGEX = APPFW\sAPPFW_(STARTURL|DENYURL|BUFFEROVERFLOW_URL|BUFFEROVERFLOW_COOKIE|BUFFEROVERFLOW_HDR)\s\d+\s+:\s+(\S+)\s(\S+)\s(\.*):\s(.*)\s<(.*)\>

[ns_firewall_extract_2]
CLEAN_KEYS = 1
FORMAT = violation::$1 src_ip::$2 profile::$3 url::$4 msg::$5 action::$6
MV_ADD = 0
REGEX = APPFW\sAPPFW_(XSS|SQL|COOKIE|FIELDFORMAT|SAFECOMMERCE|SAFEOBJECT)\s\d+\s+\:\s+(S+)\s(S+)\s(\S+)\s(.*)<(.*)\>

And yet the messages are still being parsed into fields using the old definitions, that don't match our NetScaler version.

In case it's relevant, I haven't been editing the .conf files directly, but only through the web GUI.