Hi,
I am running splunk standalone 8.4.1 with Citrix add-on installed 8.2.3. Also, I have SC4S running version 3.31.0.
I configured Citrix to send syslog events to SC4S, and running a tcpdump in SC4S, I see those events arriving.
According to the documentation, nothing else must be done at SC4S level.
https://splunk.github.io/splunk-connect-for-syslog/3.31.0/sources/vendor/Citrix/netscaler/
Unfortunately, I don't see any Citrix event in splunk. I searched in index "netfw" and also filtered by sorcetype (sourcetype="citrix*" and index=*), in both cases, no events are in there.
Other events, from our firewall, are reaching splunk without any issue via the same SC4S server. So I discarded network issues.
Any idea about what could be happening? any SC4S logs that I could check?
thanks a lot.
for your reference, below the syslog event received in SC4S that does not seem to trigger the parser
/etc/syslog-ng/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf
tcpdump -n -vvv -i eth0 host 10.143.6.21 -s 0
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:06:40.745046 IP (tos 0x0, ttl 255, id 21289, offset 0, flags [none], proto UDP (17), length 289)
10.X.Y.Z.23350 > 192.X.Y.Z.syslog: [udp sum ok] SYSLOG, length: 261
Facility local0 (16), Severity info (6)
Msg: 12/05/2025:11:06:40 host_nameXXXXX 0-PPE-1 : default TCP CONN_TERMINATE 465400 0 : Source 192.X.Y.Z:636 - Destination 10.X.Y.z:53621 - Start Time 12/05/2025:11:06:40 - End Time 12/05/2025:11:06:40 - Total_bytes_send 0 - Total_bytes_recv 1 \0x0a
any idea about how to see why it does not match? should I create some specific parser to force this trigger?
thanks
I found some fixes added in version 3.35.1 related to Citrix.
https://github.com/splunk/splunk-connect-for-syslog/releases?page=1
So I decided to update to the latest version 3.36.0. Unfortunately, the issue remains. 😕