Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CITRIX onboard via SC4S - no events in splunk

corti77
Contributor
‎05-08-2025 04:15 AM

Hi,

I am running splunk standalone 8.4.1 with Citrix add-on installed 8.2.3.  Also, I have SC4S running version 3.31.0.

I configured Citrix to send syslog events to SC4S, and running a tcpdump in SC4S, I see those events arriving.

According to the documentation, nothing else must be done at SC4S level.

https://splunk.github.io/splunk-connect-for-syslog/3.31.0/sources/vendor/Citrix/netscaler/

Unfortunately, I don't see any Citrix event in splunk. I searched in index "netfw" and also filtered by sorcetype (sourcetype="citrix*" and index=*), in both cases, no events are in there.

Other events, from our firewall, are reaching splunk without any issue via the same SC4S server. So I discarded network issues.

Any idea about what could be happening? any SC4S logs that I could check?

thanks a lot.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

corti77
Contributor
‎05-12-2025 02:12 AM

for your reference, below the syslog event received in SC4S that does not seem to trigger the parser 
/etc/syslog-ng/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf

tcpdump -n -vvv -i eth0 host 10.143.6.21 -s 0
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:06:40.745046 IP (tos 0x0, ttl 255, id 21289, offset 0, flags [none], proto UDP (17), length 289)
    10.X.Y.Z.23350 > 192.X.Y.Z.syslog: [udp sum ok] SYSLOG, length: 261
        Facility local0 (16), Severity info (6)
        Msg:  12/05/2025:11:06:40  host_nameXXXXX 0-PPE-1 : default TCP CONN_TERMINATE 465400 0 :  Source 192.X.Y.Z:636 - Destination 10.X.Y.z:53621 - Start Time 12/05/2025:11:06:40  - End Time 12/05/2025:11:06:40  - Total_bytes_send 0 - Total_bytes_recv 1 \0x0a

 

any idea about how to see why it does not match? should I create some specific parser to force this trigger?

thanks 

0 Karma
Reply

corti77
Contributor
‎05-08-2025 06:21 AM

I found some fixes added in version 3.35.1 related to Citrix. 

https://github.com/splunk/splunk-connect-for-syslog/releases?page=1

So I decided to update to the latest version 3.36.0. Unfortunately, the issue remains. 😕

0 Karma
Reply

corti77
Contributor
‎07-07-2025 07:25 AM

Hi,

litle update. Splunk upgrafed to 9.3.3 , SC4S upgraded to version 3.37 and Splunk Citrix add-on upgraded to 8.2.3.

the issue remains, I see the CITRIX syslog packet reaching SC4S but nothing is forwarded to Splunk.

 

0 Karma
Reply

corti77
Contributor
‎07-07-2025 07:43 AM

corti77_0-1751899352288.png

I just found the events in Splunk, they ended up in a different index (osnix). Any idea why the SC4S parser was not triggered? the tags indicate that SC4S correctly identify CITRIX as the logs source.

thanks

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...