So given that netscaler 12.1 should work, I have events coming in from 4 netscalers via syslog and I named the sourcetype=citrix:netscaler:syslog which I believe is correct upon review of the default props.conf. Fields do not appear to be extracting for the sourcetype, is this an issue with rsyslog setup perhaps the way the timestamps or is there something I'm missing?
Apr 17 16:04:23 netscaler01.somelan.local 04/17/2019:16:04:17 0-PPE-0 : default TCP CONN_DELINK 11964927 0 : Source 192.168.20.7:64151 - Vserver 192.168.20.4:443 - NatIP 192.168.20.2:49222 - Destination 192.168.20.5:443 - Delink Time 04/17/2019:16:04:17 - Total_bytes_send 0 - Total_bytes_recv 2683
Apr 17 16:04:22 netscaler01.somelan.local 04/17/2019:16:04:16 0-PPE-0 : default TCP CONN_TERMINATE 11964913 0 : Source 192.168.20.6:80 - Destination 192.168.20.3:35760 - Start Time 04/17/2019:16:03:32 - End Time 04/17/2019:16:04:16 - Total_bytes_send 428 - Total_bytes_recv 377
I am using rsyslog to read in my netscaler events.
I have inputs.conf set up to read in all of my rsyslog events and set the sourcetype for each.
This is my Netscaler code in my local/inputs.conf
[monitor:///opt/syslog/netscaler//.log]
sourcetype=citrix:netscaler:syslog
index=network
host_segment=4
disabled=false
Then I use a local/props.conf to establish the time and the local/transfroms to extract the netscaler hostname.
From there the rest of the fields are extracted by the netscaler add-on.
If you want to try this route, I can work you up a time and hostname extract based on your log example.
https://answers.splunk.com/answers/6573/alternative-ways-to-assigning-sourcetype.html
I found a similar question answered, please take a look at the above link.
Hope this helps, Thanks!
do you have a copy of the props.conf
in question handy?
https://splunkbase.splunk.com/app/4366/
I'm just using the default
Splunk_TA_citrix_netscaler_Enosys/default/props.conf
cat Splunk_TA_citrix_netscaler_Enosys/default/app.conf | grep -i version
version = 1.1
clip of the sourcetype
[citrix:netscaler:syslog]
KV_MODE=none
SHOULD_LINEMERGE = false
REPORT-citrix_netscaler_syslog = citrix_netscaler_syslog,netscaler_syslog_quoted_fields,netscaler_syslog_unquoted_fields
EXTRACT-1-syslog_event_name = \s+[\d\/]{10}(:\d{2}){3}\s+\w{3}\s+\S+\s+\S+\s+:([^:]+)?\s+\w+\s+(?\w+)\s+\d+\s+0\s+:\s+.+
EVAL-bytes = Total_bytes_recv+Total_bytes_send
EVAL-dest_ip = mvindex(split(Destination,":"),0)
EVAL-dest_port = mvindex(split(Destination,":"),1)
EVAL-src_ip = mvindex(split(Source,":"),0)
EVAL-src_port = mvindex(split(Source,":"),1)
EVAL-vendor = "Citrix Systems"
FIELDALIAS-cim_builder = event_source AS app User AS user Total_bytes_recv AS bytes_in Total_bytes_send AS bytes_out ns_name AS dvc
EVAL-dest = if(isnull(Destination),if(match(event_name,".CONNSTAT$"),Remote_ip,if(match(event_name,"^LOG(IN|OUT)."),host,mvindex(split(Destination,":"),0))),mvindex(split(Destination,":"),0))
EVAL-duration = (strptime(Duration,"%H:%M:%S")-strptime("00:00:00","%H:%M:%S"))*1000
EVAL-src = if(isnull(Source),Client_ip,mvindex(split(Source,":"),0))
FIELDALIAS-device_serial_number_chassis = device_serial_number AS chassis
EVAL-action = case(match(event_name,".*CONNSTAT$"), "allowed", match(event_name,"^LOG(IN|OUT)$"), "success", match(event_name,"LOGIN_FAILED"), "failure")
a little weird that here's no TIMESTAMP
definition in there - especially when the time seems to show up more than once in the event line
I'm running into the same exact problem. By any chance, did you ever find a resolution to this issue?
nope, ran out of forks