Getting Data In

CITRIX onboard via SC4S - no events in splunk

corti77
Contributor

Hi,

I am running splunk standalone 8.4.1 with Citrix add-on installed 8.2.3.  Also, I have SC4S running version 3.31.0.

I configured Citrix to send syslog events to SC4S, and running a tcpdump in SC4S, I see those events arriving.

According to the documentation, nothing else must be done at SC4S level.

https://splunk.github.io/splunk-connect-for-syslog/3.31.0/sources/vendor/Citrix/netscaler/

Unfortunately, I don't see any Citrix event in splunk. I searched in index "netfw" and also filtered by sorcetype (sourcetype="citrix*" and index=*), in both cases, no events are in there.

Other events, from our firewall, are reaching splunk without any issue via the same SC4S server. So I discarded network issues.

Any idea about what could be happening? any SC4S logs that I could check?

thanks a lot.

Labels (2)
Tags (1)
0 Karma

corti77
Contributor

for your reference, below the syslog event received in SC4S that does not seem to trigger the parser 
/etc/syslog-ng/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf

tcpdump -n -vvv -i eth0 host 10.143.6.21 -s 0
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:06:40.745046 IP (tos 0x0, ttl 255, id 21289, offset 0, flags [none], proto UDP (17), length 289)
    10.X.Y.Z.23350 > 192.X.Y.Z.syslog: [udp sum ok] SYSLOG, length: 261
        Facility local0 (16), Severity info (6)
        Msg:  12/05/2025:11:06:40  host_nameXXXXX 0-PPE-1 : default TCP CONN_TERMINATE 465400 0 :  Source 192.X.Y.Z:636 - Destination 10.X.Y.z:53621 - Start Time 12/05/2025:11:06:40  - End Time 12/05/2025:11:06:40  - Total_bytes_send 0 - Total_bytes_recv 1 \0x0a
        

 

any idea about how to see why it does not match? should I create some specific parser to force this trigger?

thanks 

0 Karma

corti77
Contributor

I found some fixes added in version 3.35.1 related to Citrix. 

https://github.com/splunk/splunk-connect-for-syslog/releases?page=1

So I decided to update to the latest version 3.36.0. Unfortunately, the issue remains. 😕

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...