From 95071089b89ac863030c789bc2fdfbabd7085946 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 10 Jul 2020 17:54:13 -0400
Subject: [PATCH] [FILTERADD] Support Citrix SDX (#561)

* [FILTERADD] Support Citrix SDX

Add support for events from the SDX appliance

* Filter collection correction
---
 docs/sources/Citrix/index.md                  |  2 +-
 .../conf.d/filters/citrix/netscaler.conf.tmpl | 14 +-------
 .../filters/citrix/netscalersdx.conf.tmpl     | 13 +++++++
 package/etc/go_templates/source_network.t     | 36 +++++++++++++++++--
 tests/test_citrix_netscaler.py                | 29 +++++++++++++++
 5 files changed, 77 insertions(+), 17 deletions(-)
 create mode 100644 package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl

diff --git a/docs/sources/Citrix/index.md b/docs/sources/Citrix/index.md
index af78aa2..b9d1495 100644
--- a/docs/sources/Citrix/index.md
+++ b/docs/sources/Citrix/index.md
@@ -1,6 +1,6 @@
 # Vendor - Citrix
 
-## Product - Netscaler ADC
+## Product - Netscaler ADC/SDX
 
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
diff --git a/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl b/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
index 201b111..3786fe1 100644
--- a/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
+++ b/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
@@ -3,23 +3,11 @@ filter f_citrix_netscaler {
 };
 filter f_citrix_netscaler_message {
     message(
-        '^(<\d{1,3}>) (\d\d\/\d\d\/\d\d\d\d\:\d\d:\d\d:\d\d) ([^ ]{3}+) ([^ ]+) (.*)'
+        '^(<\d{1,3}>) ?(\d\d\/\d\d\/\d\d\d\d\:\d\d:\d\d:\d\d) ([^ ]{3}+) ([^ ]+) (.*)'
         flags(store-matches)
     );
 };
 
-parser p_citrix_netscaler_date {
-{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}
-    #10/01/2001:01:01:01 GMT
-    date-parser-nofilter(format('%m/%d/%Y:%H:%M:%S')
-                template("$2"));
-{{- else }}
-    #01/10/2001:01:01:01 GMT
-    date-parser-nofilter(format('%d/%m/%Y:%H:%M:%S')
-                template("$2"));
-{{- end }}
-};
-
 rewrite r_citrix_netscaler_message {
     set("citrix_netscaler" value("fields.sc4s_syslog_format"));
     set("citrix_netscaler" value("fields.sc4s_vendor_product"));
diff --git a/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl b/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl
new file mode 100644
index 0000000..ee9d403
--- /dev/null
+++ b/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl
@@ -0,0 +1,13 @@
+filter f_citrix_netscaler_sdx_message {
+    message(
+        '^(<\d{1,3}>) ?(\w{1,3} \d{1,2} \d{2}:\d{2}:\d{2}) (svm([^:]+): ([^ ]+) .*)'
+        flags(store-matches)
+    );
+};
+
+rewrite r_citrix_netscaler_sdx_message {
+    set("citrix_netscaler" value("fields.sc4s_syslog_format"));
+    set("citrix_netscaler" value("fields.sc4s_vendor_product"));
+    set("$5" value("HOST"));
+    set("$3" value("MESSAGE"));
+};
\ No newline at end of file
diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
index ace8656..966e5af 100644
--- a/package/etc/go_templates/source_network.t
+++ b/package/etc/go_templates/source_network.t
@@ -107,8 +107,25 @@ source s_{{ .port_id }} {
         parser (p_cisco_meraki);
         rewrite(set_rfc5424_epochtime);
 {{ else if eq .parser "citrix_netscaler" }}
-        parser(p_citrix_netscaler_date);
-        rewrite(r_citrix_netscaler_message);
+        if {
+            filter(f_citrix_netscaler_message);
+            parser { 
+{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}        
+                date-parser-nofilter(format('%m/%d/%Y:%H:%M:%S')
+{{- else }}        
+                date-parser-nofilter(format('%d/%m/%Y:%H:%M:%S')
+{{- end }}
+                template("$2"));
+            };
+            rewrite(r_citrix_netscaler_message);
+        } elif {
+            filter(f_citrix_netscaler_sdx_message);
+            parser { 
+                date-parser-nofilter(format('%b %d %H:%M:%S')
+                template("$2"));
+            };
+            rewrite(r_citrix_netscaler_sdx_message);        
+        };
 {{ else if eq .parser "cisco_ucm" }}
         parser (p_cisco_ucm_date);
         rewrite (r_cisco_ucm_message);
@@ -125,8 +142,21 @@ source s_{{ .port_id }} {
 {{ else }}
         if {
             filter(f_citrix_netscaler_message);
-            parser(p_citrix_netscaler_date);
+            parser { 
+{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}        
+                date-parser-nofilter(format('%m/%d/%Y:%H:%M:%S')
+{{- else }}        
+                date-parser-nofilter(format('%d/%m/%Y:%H:%M:%S')
+{{- end }}
+                template("$2"));
+            };
             rewrite(r_citrix_netscaler_message);
+        } elif {
+            filter(f_citrix_netscaler_sdx_message);
+            parser { date-parser-nofilter(format('%b %d %H:%M:%S')
+                template("$2"));
+            };
+            rewrite(r_citrix_netscaler_sdx_message);        
         } elif {
             filter(f_f5_bigip_message);
             rewrite{
diff --git a/tests/test_citrix_netscaler.py b/tests/test_citrix_netscaler.py
index 737182b..812c7df 100644
--- a/tests/test_citrix_netscaler.py
+++ b/tests/test_citrix_netscaler.py
@@ -43,3 +43,32 @@ def test_citrix_netscaler(record_property, setup_wordlist, setup_splunk, setup_s
     record_property("message", message)
 
     assert resultCount == 1
+
+
+#<134>Jun 18 18:18:42 svm_service: 1.1.1.1 18/06/2020:16:18:42 GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.55.1.100 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"
+def test_citrix_netscaler_sdx(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "test-ctitrixns-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+    pid = random.randint(1000, 32000)
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%d/%m/%Y:%H:%M:%S")
+    epoch = epoch[:-7]
+
+    mt = env.from_string('{{ mark }}{{ bsd }} svm_service: {{ host }} {{ time }} GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.1.1.1 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"\n')
+    message = mt.render(mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=netfw host={{ host }} sourcetype=\"citrix:netscaler:syslog\"")
+    search = st.render(epoch=epoch, host=host, pid=pid)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
\ No newline at end of file