- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Syslog Field Extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Syslog Field Extractions
So given that netscaler 12.1 should work, I have events coming in from 4 netscalers via syslog and I named the sourcetype=citrix:netscaler:syslog which I believe is correct upon review of the default props.conf. Fields do not appear to be extracting for the sourcetype, is this an issue with rsyslog setup perhaps the way the timestamps or is there something I'm missing?
Apr 17 16:04:23 netscaler01.somelan.local 04/17/2019:16:04:17 0-PPE-0 : default TCP CONN_DELINK 11964927 0 : Source 192.168.20.7:64151 - Vserver 192.168.20.4:443 - NatIP 192.168.20.2:49222 - Destination 192.168.20.5:443 - Delink Time 04/17/2019:16:04:17 - Total_bytes_send 0 - Total_bytes_recv 2683
Apr 17 16:04:22 netscaler01.somelan.local 04/17/2019:16:04:16 0-PPE-0 : default TCP CONN_TERMINATE 11964913 0 : Source 192.168.20.6:80 - Destination 192.168.20.3:35760 - Start Time 04/17/2019:16:03:32 - End Time 04/17/2019:16:04:16 - Total_bytes_send 428 - Total_bytes_recv 377
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using rsyslog to read in my netscaler events.
I have inputs.conf set up to read in all of my rsyslog events and set the sourcetype for each.
This is my Netscaler code in my local/inputs.conf
Netscaler
[monitor:///opt/syslog/netscaler//.log]
sourcetype=citrix:netscaler:syslog
index=network
host_segment=4
disabled=false
Then I use a local/props.conf to establish the time and the local/transfroms to extract the netscaler hostname.
From there the rest of the fields are extracted by the netscaler add-on.
If you want to try this route, I can work you up a time and hostname extract based on your log example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://answers.splunk.com/answers/6573/alternative-ways-to-assigning-sourcetype.html
I found a similar question answered, please take a look at the above link.
Hope this helps, Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you have a copy of the props.conf in question handy?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://splunkbase.splunk.com/app/4366/
I'm just using the default
Splunk_TA_citrix_netscaler_Enosys/default/props.conf
cat Splunk_TA_citrix_netscaler_Enosys/default/app.conf | grep -i version
This Add-on version 1.1 works only when Citrix Netscaler syslog is forwarded to Splunk SIEM via Splunk Heavy Forwarder, Splunk Enterprise or Splunk Cloud.
version = 1.1
clip of the sourcetype
[citrix:netscaler:syslog]
KV_MODE=none
SHOULD_LINEMERGE = false
REPORT-citrix_netscaler_syslog = citrix_netscaler_syslog,netscaler_syslog_quoted_fields,netscaler_syslog_unquoted_fields
EXTRACT-1-syslog_event_name = \s+[\d\/]{10}(:\d{2}){3}\s+\w{3}\s+\S+\s+\S+\s+:([^:]+)?\s+\w+\s+(?\w+)\s+\d+\s+0\s+:\s+.+
EVAL-bytes = Total_bytes_recv+Total_bytes_send
EVAL-dest_ip = mvindex(split(Destination,":"),0)
EVAL-dest_port = mvindex(split(Destination,":"),1)
EVAL-src_ip = mvindex(split(Source,":"),0)
EVAL-src_port = mvindex(split(Source,":"),1)
EVAL-vendor = "Citrix Systems"
FIELDALIAS-cim_builder = event_source AS app User AS user Total_bytes_recv AS bytes_in Total_bytes_send AS bytes_out ns_name AS dvc
EVAL-dest = if(isnull(Destination),if(match(event_name,".CONNSTAT$"),Remote_ip,if(match(event_name,"^LOG(IN|OUT)."),host,mvindex(split(Destination,":"),0))),mvindex(split(Destination,":"),0))
EVAL-duration = (strptime(Duration,"%H:%M:%S")-strptime("00:00:00","%H:%M:%S"))*1000
EVAL-src = if(isnull(Source),Client_ip,mvindex(split(Source,":"),0))
FIELDALIAS-device_serial_number_chassis = device_serial_number AS chassis
EVAL-action = case(match(event_name,".*CONNSTAT$"), "allowed", match(event_name,"^LOG(IN|OUT)$"), "success", match(event_name,"LOGIN_FAILED"), "failure")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a little weird that here's no TIMESTAMP definition in there - especially when the time seems to show up more than once in the event line
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running into the same exact problem. By any chance, did you ever find a resolution to this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nope, ran out of forks
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
