All Apps and Add-ons

Splunk Add-on for Citrix NetScaler 6.1.0: Why are fields not getting parsed for a Netscaler v11 Syslog input on a heavy forwarder?

kmuellercm
Explorer

Hello

I'm using Splunk 6.3 and the Splunk Add-on for Citrix NetScaler 6.1.0. I am collecting syslog at a heavy forwarder (using syslog-ng) and forwarding via a file-monitor. I'm statically assigning the sourcetype (citrix:netscaler:syslog) and it shows up when I search for events with that sourcetype, however, none of the field extractions are populating except 'vendor' "Citrix Systems".

I checked with btool and I can see my props on both the indexer and the heavy forwarder seem to be correct.

Any ideas?

Here is a sample raw log entry from syslog:

May 11 08:41:52 10.250.255.187 05/11/2016:12:54:07 GMT ns01 0-PPE-0 : default SSLVPN LOGIN 7292348 0 : Context username@10.x.x.176 - SessionId: 22366- User username- Client_ip 10.x.x.176 - Nat_ip "Mapped Ip" - Vserver 10.x.x.51:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" - SSLVPN_client_type ICA - Group(s) "VDIUsersGroup"

Here is my inputs.conf on the heavy forwarder:

[monitor:///opt/splunk/syslog/citrix/.../host.log]
sourcetype = citrix:netscaler:syslog
disabled = 0
host_segment = 5
0 Karma
1 Solution

kmuellercm
Explorer

Oh yeah I fixed this! Thanks for reminding me 🙂

I had 2 issues. First I'm using syslog-ng to recieve all my syslog before sending it to splunk. Syslog-ng adds a timestamp and the IP to each log line, secondly v11 has an extra field for protocol or log type (I'm not sure which) in the middle of the log, so the extract breaks.

This will correctly parse the syslog header:

    \w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+ 

This will correctly parse the v11 log line:

\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)

So the combined extract in my props.conf on the indexer in the splunkhome\etc\apps\Splunk_TA_netscaler\local\props.conf is:

[citrix:netscaler:syslog]
EXTRACT-1-syslog = \w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)

View solution in original post

simonsigre
Path Finder

We are now maintaining this TA to ensure its vetted and continues to parse (https://splunkbase.splunk.com/app/4238/) .
We have a few updates happening over the next few days, so, please wait before downloading it .. but.. it is working well and vetted for cloud.

nychawk
Communicator

Greetings!

I am running the latest Splunk Add-on for Citrix NetScaler, and ingesting data from Netscalers with V11 and V10.5 devices.
My V11 netscalers are properly showing all fields, while those with V10.5 are not.

I am receiving data via syslog-NG with a UF installed, and my environment is a SH and index clustered.

I would like to have fields available for all devices, any suggestions to achieve this?

Thank you,

-mi

0 Karma

ashabc
Contributor

If you are a lazy to type (like me), you could parse the syslog header with

^[^.]*(.\d+){3}\s+

instead of

\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s+

and then follow the remaining regex as per your suggestion. Though I had to modify the 2nd part a little bit as per below, because my netscaler name had - sign, which it could not parse as is.

[\d\/]{10}(:\d{2}){3}\s+(?P\S+)\s+(?P\S+)\s+:(\s+[^:]+)?\s+(?P\w+)\s+(?P\w+)\s+(?P\d+)\s+0\s+:\s+(?P.+)

So the complete regex would look like:

^[^.]*(.\d+){3}\s+[\d\/]{10}(:\d{2}){3}\s+(?P\S+)\s+(?P\S+)\s+:(\s+[^:]+)?\s+(?P\w+)\s+(?P\w+)\s+(?P\d+)\s+0\s+:\s+(?P.+)

0 Karma

ashabc
Contributor

Darlas, If you can post some log files, I can look at it.

0 Karma

darlas
Communicator

Hi.

I actually figured it out. Here is my transforms.conf.

[citrix_netscaler_syslog]
REGEX = ^(\w){3}\s(\d){2}\s(\d){2}:(\d){2}:(\d){2}\s(\w)(\s)\d{2}\/\d{2}\/\d{4}(:\d{2}){3}(\s)*(?P\S+)\s+(?P\S+)\s+:\s+(?P\w+)\s+(?P\w+)\s+(?P\w+)\s+(?P\d+)\s+0\s+:\s+(?P.+)

This likely is not the most elegant regex but it works 🙂

Thanks for offering your help though!

-Darla

0 Karma

darlas
Communicator

Hi.

I'm having this same issue. I tried adding the line in my splunkhome/etc/apps/Splunk_TA_netscaler/local/props.conf file and restarted splunk but nothing changed.

Any ideas what I am missing?

Thanks!

0 Karma

kmuellercm
Explorer

Oh yeah I fixed this! Thanks for reminding me 🙂

I had 2 issues. First I'm using syslog-ng to recieve all my syslog before sending it to splunk. Syslog-ng adds a timestamp and the IP to each log line, secondly v11 has an extra field for protocol or log type (I'm not sure which) in the middle of the log, so the extract breaks.

This will correctly parse the syslog header:

    \w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+ 

This will correctly parse the v11 log line:

\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)

So the combined extract in my props.conf on the indexer in the splunkhome\etc\apps\Splunk_TA_netscaler\local\props.conf is:

[citrix:netscaler:syslog]
EXTRACT-1-syslog = \w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{1,3}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\d{2}\/\d{2}\/\d{4}(:\d{2}){3}\s+\w{3}\s+(?P<ns_name>\S+)\s+(?P<packet_engine_name>\S+)\s+:\s+(?P<event_source>\w+)\s+(?P<proto>\w+)\s+(?P<event_name>\w+)\s+(?P<event_id>\d+)\s+0\s+:\s+(?P<syslog_message>.+)

DavidH1
Explorer

I was able to bypass this by configuring the template filter of the destination to "$MSGHDR$MSG\n":

destination d_splunkdata_netscaler { file("/<PATH>/$HOST/logs.${YEAR}.${MONTH}.${DAY}" create_dirs(yes) dir-group("splunk") dir-owner("splunk") dir-perm(0744) template("$MSGHDR$MSG\n") ); };
0 Karma

splunker288
Explorer

I'm experiencing the exact same problem.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...