All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog Field Extractions

shawngarrettsgp
Path Finder
‎04-18-2019 09:21 AM

So given that netscaler 12.1 should work, I have events coming in from 4 netscalers via syslog and I named the sourcetype=citrix:netscaler:syslog which I believe is correct upon review of the default props.conf. Fields do not appear to be extracting for the sourcetype, is this an issue with rsyslog setup perhaps the way the timestamps or is there something I'm missing?

Apr 17 16:04:23 netscaler01.somelan.local  04/17/2019:16:04:17   0-PPE-0 : default TCP CONN_DELINK 11964927 0 :  Source 192.168.20.7:64151 - Vserver 192.168.20.4:443 - NatIP 192.168.20.2:49222 - Destination 192.168.20.5:443 - Delink Time 04/17/2019:16:04:17  - Total_bytes_send 0 - Total_bytes_recv 2683

Apr 17 16:04:22 netscaler01.somelan.local  04/17/2019:16:04:16   0-PPE-0 : default TCP CONN_TERMINATE 11964913 0 :  Source 192.168.20.6:80 - Destination 192.168.20.3:35760 - Start Time 04/17/2019:16:03:32  - End Time 04/17/2019:16:04:16  - Total_bytes_send 428 - Total_bytes_recv 377
0 Karma
Reply

edhealea
Path Finder
‎11-12-2019 02:28 PM

I am using rsyslog to read in my netscaler events.
I have inputs.conf set up to read in all of my rsyslog events and set the sourcetype for each.
This is my Netscaler code in my local/inputs.conf

Netscaler

[monitor:///opt/syslog/netscaler//.log]
sourcetype=citrix:netscaler:syslog
index=network
host_segment=4
disabled=false

Then I use a local/props.conf to establish the time and the local/transfroms to extract the netscaler hostname.
From there the rest of the fields are extracted by the netscaler add-on.

If you want to try this route, I can work you up a time and hostname extract based on your log example.

0 Karma
Reply

sandeepmakkena
Contributor
‎10-17-2019 03:44 PM

https://answers.splunk.com/answers/6573/alternative-ways-to-assigning-sourcetype.html

I found a similar question answered, please take a look at the above link.

Hope this helps, Thanks!

0 Karma
Reply

wmyersas
Builder
‎10-17-2019 12:44 PM

do you have a copy of the props.conf in question handy?

0 Karma
Reply

shawngarrettsgp
Path Finder
‎10-17-2019 01:33 PM

https://splunkbase.splunk.com/app/4366/

I'm just using the default
Splunk_TA_citrix_netscaler_Enosys/default/props.conf

cat Splunk_TA_citrix_netscaler_Enosys/default/app.conf | grep -i version

This Add-on version 1.1 works only when Citrix Netscaler syslog is forwarded to Splunk SIEM via Splunk Heavy Forwarder, Splunk Enterprise or Splunk Cloud.

version = 1.1

clip of the sourcetype
[citrix:netscaler:syslog]
KV_MODE=none
SHOULD_LINEMERGE = false

REPORT-citrix_netscaler_syslog = citrix_netscaler_syslog,netscaler_syslog_quoted_fields,netscaler_syslog_unquoted_fields
EXTRACT-1-syslog_event_name = \s+[\d\/]{10}(:\d{2}){3}\s+\w{3}\s+\S+\s+\S+\s+:([^:]+)?\s+\w+\s+(?\w+)\s+\d+\s+0\s+:\s+.+

EVAL-bytes = Total_bytes_recv+Total_bytes_send
EVAL-dest_ip = mvindex(split(Destination,":"),0)
EVAL-dest_port = mvindex(split(Destination,":"),1)
EVAL-src_ip = mvindex(split(Source,":"),0)
EVAL-src_port = mvindex(split(Source,":"),1)
EVAL-vendor = "Citrix Systems"
FIELDALIAS-cim_builder = event_source AS app User AS user Total_bytes_recv AS bytes_in Total_bytes_send AS bytes_out ns_name AS dvc
EVAL-dest = if(isnull(Destination),if(match(event_name,".CONNSTAT$"),Remote_ip,if(match(event_name,"^LOG(IN|OUT)."),host,mvindex(split(Destination,":"),0))),mvindex(split(Destination,":"),0))
EVAL-duration = (strptime(Duration,"%H:%M:%S")-strptime("00:00:00","%H:%M:%S"))*1000
EVAL-src = if(isnull(Source),Client_ip,mvindex(split(Source,":"),0))
FIELDALIAS-device_serial_number_chassis = device_serial_number AS chassis
EVAL-action = case(match(event_name,".*CONNSTAT$"), "allowed", match(event_name,"^LOG(IN|OUT)$"), "success", match(event_name,"LOGIN_FAILED"), "failure")

0 Karma
Reply

wmyersas
Builder
‎10-17-2019 01:39 PM

a little weird that here's no TIMESTAMP definition in there - especially when the time seems to show up more than once in the event line

0 Karma
Reply

luongg
Explorer
‎10-09-2019 09:20 AM

I'm running into the same exact problem. By any chance, did you ever find a resolution to this issue?

0 Karma
Reply

shawngarrettsgp
Path Finder
‎10-17-2019 01:27 PM

nope, ran out of forks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...