Hello
I'm using Splunk 6.3 and the Splunk Add-on for Citrix NetScaler 6.1.0. I am collecting syslog at a heavy forwarder (using syslog-ng) and forwarding via a file-monitor. I'm statically assigning the sourcetype (citrix:netscaler:syslog) and it shows up when I search for events with that sourcetype, however, none of the field extractions are populating except 'vendor' "Citrix Systems".
I checked with btool and I can see my props on both the indexer and the heavy forwarder seem to be correct.
Any ideas?
Here is a sample raw log entry from syslog:
May 11 08:41:52 10.250.255.187 05/11/2016:12:54:07 GMT ns01 0-PPE-0 : default SSLVPN LOGIN 7292348 0 : Context username@10.x.x.176 - SessionId: 22366- User username- Client_ip 10.x.x.176 - Nat_ip "Mapped Ip" - Vserver 10.x.x.51:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" - SSLVPN_client_type ICA - Group(s) "VDIUsersGroup"
Here is my inputs.conf on the heavy forwarder:
[monitor:///opt/splunk/syslog/citrix/.../host.log]
sourcetype = citrix:netscaler:syslog
disabled = 0
host_segment = 5
Oh yeah I fixed this! Thanks for reminding me 🙂
I had 2 issues. First I'm using syslog-ng to recieve all my syslog before sending it to splunk. Syslog-ng adds a timestamp and the IP to each log line, secondly v11 has an extra field for protocol or log type (I'm not sure which) in the middle of the log, so the extract breaks.
This will correctly parse the syslog header:
\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+
This will correctly parse the v11 log line:
\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)
So the combined extract in my props.conf on the indexer in the splunkhome\etc\apps\Splunk_TA_netscaler\local\props.conf is:
[citrix:netscaler:syslog]
EXTRACT-1-syslog = \w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)
We are now maintaining this TA to ensure its vetted and continues to parse (https://splunkbase.splunk.com/app/4238/) .
We have a few updates happening over the next few days, so, please wait before downloading it .. but.. it is working well and vetted for cloud.
Greetings!
I am running the latest Splunk Add-on for Citrix NetScaler, and ingesting data from Netscalers with V11 and V10.5 devices.
My V11 netscalers are properly showing all fields, while those with V10.5 are not.
I am receiving data via syslog-NG with a UF installed, and my environment is a SH and index clustered.
I would like to have fields available for all devices, any suggestions to achieve this?
Thank you,
-mi
If you are a lazy to type (like me), you could parse the syslog header with
^[^.]*(.\d+){3}\s+
instead of
\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s+
and then follow the remaining regex as per your suggestion. Though I had to modify the 2nd part a little bit as per below, because my netscaler name had - sign, which it could not parse as is.
[\d\/]{10}(:\d{2}){3}\s+(?P\S+)\s+(?P\S+)\s+:(\s+[^:]+)?\s+(?P\w+)\s+(?P\w+)\s+(?P\d+)\s+0\s+:\s+(?P.+)
So the complete regex would look like:
^[^.]*(.\d+){3}\s+[\d\/]{10}(:\d{2}){3}\s+(?P\S+)\s+(?P\S+)\s+:(\s+[^:]+)?\s+(?P\w+)\s+(?P\w+)\s+(?P\d+)\s+0\s+:\s+(?P.+)
Darlas, If you can post some log files, I can look at it.
Hi.
I actually figured it out. Here is my transforms.conf.
[citrix_netscaler_syslog]
REGEX = ^(\w){3}\s(\d){2}\s(\d){2}:(\d){2}:(\d){2}\s(\w)(\s)\d{2}\/\d{2}\/\d{4}(:\d{2}){3}(\s)*(?P\S+)\s+(?P\S+)\s+:\s+(?P\w+)\s+(?P\w+)\s+(?P\w+)\s+(?P\d+)\s+0\s+:\s+(?P.+)
This likely is not the most elegant regex but it works 🙂
Thanks for offering your help though!
-Darla
Hi.
I'm having this same issue. I tried adding the line in my splunkhome/etc/apps/Splunk_TA_netscaler/local/props.conf file and restarted splunk but nothing changed.
Any ideas what I am missing?
Thanks!
Oh yeah I fixed this! Thanks for reminding me 🙂
I had 2 issues. First I'm using syslog-ng to recieve all my syslog before sending it to splunk. Syslog-ng adds a timestamp and the IP to each log line, secondly v11 has an extra field for protocol or log type (I'm not sure which) in the middle of the log, so the extract breaks.
This will correctly parse the syslog header:
\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+
This will correctly parse the v11 log line:
\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)
So the combined extract in my props.conf on the indexer in the splunkhome\etc\apps\Splunk_TA_netscaler\local\props.conf is:
[citrix:netscaler:syslog]
EXTRACT-1-syslog = \w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)
I was able to bypass this by configuring the template filter of the destination to "$MSGHDR$MSG\n":
destination d_splunkdata_netscaler { file("/<PATH>/$HOST/logs.${YEAR}.${MONTH}.${DAY}" create_dirs(yes) dir-group("splunk") dir-owner("splunk") dir-perm(0744) template("$MSGHDR$MSG\n") ); };
I'm experiencing the exact same problem.