Skip to content

Commit

Permalink
[FILTERADD] Support Citrix SDX (#561)
Browse files Browse the repository at this point in the history 
* [FILTERADD] Support Citrix SDX

Add support for events from the SDX appliance

* Filter collection correction
  • Loading branch information
Ryan Faircloth authored and GitHub committed Jul 10, 2020
1 parent 3d2df67 commit 9507108
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 17 deletions.
2 changes: 1 addition & 1 deletion docs/sources/Citrix/index.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Vendor - Citrix

## Product - Netscaler ADC
## Product - Netscaler ADC/SDX

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
Expand Down
14 changes: 1 addition & 13 deletions package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,11 @@ filter f_citrix_netscaler {
};
filter f_citrix_netscaler_message {
message(
'^(<\d{1,3}>) (\d\d\/\d\d\/\d\d\d\d\:\d\d:\d\d:\d\d) ([^ ]{3}+) ([^ ]+) (.*)'
'^(<\d{1,3}>) ?(\d\d\/\d\d\/\d\d\d\d\:\d\d:\d\d:\d\d) ([^ ]{3}+) ([^ ]+) (.*)'
flags(store-matches)
);
};

parser p_citrix_netscaler_date {
{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}
#10/01/2001:01:01:01 GMT
date-parser-nofilter(format('%m/%d/%Y:%H:%M:%S')
template("$2"));
{{- else }}
#01/10/2001:01:01:01 GMT
date-parser-nofilter(format('%d/%m/%Y:%H:%M:%S')
template("$2"));
{{- end }}
};

rewrite r_citrix_netscaler_message {
set("citrix_netscaler" value("fields.sc4s_syslog_format"));
set("citrix_netscaler" value("fields.sc4s_vendor_product"));
Expand Down
13 changes: 13 additions & 0 deletions package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
filter f_citrix_netscaler_sdx_message {
message(
'^(<\d{1,3}>) ?(\w{1,3} \d{1,2} \d{2}:\d{2}:\d{2}) (svm([^:]+): ([^ ]+) .*)'
flags(store-matches)
);
};

rewrite r_citrix_netscaler_sdx_message {
set("citrix_netscaler" value("fields.sc4s_syslog_format"));
set("citrix_netscaler" value("fields.sc4s_vendor_product"));
set("$5" value("HOST"));
set("$3" value("MESSAGE"));
};
36 changes: 33 additions & 3 deletions package/etc/go_templates/source_network.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,8 +107,25 @@ source s_{{ .port_id }} {
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
{{ else if eq .parser "citrix_netscaler" }}
parser(p_citrix_netscaler_date);
rewrite(r_citrix_netscaler_message);
if {
filter(f_citrix_netscaler_message);
parser {
{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}
date-parser-nofilter(format('%m/%d/%Y:%H:%M:%S')
{{- else }}
date-parser-nofilter(format('%d/%m/%Y:%H:%M:%S')
{{- end }}
template("$2"));
};
rewrite(r_citrix_netscaler_message);
} elif {
filter(f_citrix_netscaler_sdx_message);
parser {
date-parser-nofilter(format('%b %d %H:%M:%S')
template("$2"));
};
rewrite(r_citrix_netscaler_sdx_message);
};
{{ else if eq .parser "cisco_ucm" }}
parser (p_cisco_ucm_date);
rewrite (r_cisco_ucm_message);
Expand All @@ -125,8 +142,21 @@ source s_{{ .port_id }} {
{{ else }}
if {
filter(f_citrix_netscaler_message);
parser(p_citrix_netscaler_date);
parser {
{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}
date-parser-nofilter(format('%m/%d/%Y:%H:%M:%S')
{{- else }}
date-parser-nofilter(format('%d/%m/%Y:%H:%M:%S')
{{- end }}
template("$2"));
};
rewrite(r_citrix_netscaler_message);
} elif {
filter(f_citrix_netscaler_sdx_message);
parser { date-parser-nofilter(format('%b %d %H:%M:%S')
template("$2"));
};
rewrite(r_citrix_netscaler_sdx_message);
} elif {
filter(f_f5_bigip_message);
rewrite{
Expand Down
29 changes: 29 additions & 0 deletions tests/test_citrix_netscaler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,32 @@ def test_citrix_netscaler(record_property, setup_wordlist, setup_splunk, setup_s
record_property("message", message)

assert resultCount == 1


#<134>Jun 18 18:18:42 svm_service: 1.1.1.1 18/06/2020:16:18:42 GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.55.1.100 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"
def test_citrix_netscaler_sdx(record_property, setup_wordlist, setup_splunk, setup_sc4s):
host = "test-ctitrixns-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

dt = datetime.datetime.now()
iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)

# Tune time functions
time = dt.strftime("%d/%m/%Y:%H:%M:%S")
epoch = epoch[:-7]

mt = env.from_string('{{ mark }}{{ bsd }} svm_service: {{ host }} {{ time }} GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.1.1.1 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"\n')
message = mt.render(mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid)

sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string("search _time={{ epoch }} index=netfw host={{ host }} sourcetype=\"citrix:netscaler:syslog\"")
search = st.render(epoch=epoch, host=host, pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

0 comments on commit 9507108

Please sign in to comment.