From b28074972af64e267735e12c63fbbaa063f19ea5 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 7 Aug 2020 09:57:21 -0400
Subject: [PATCH] [filtermod] Update Citrix to handle malformed AAA (#609)

---
 .../filters/citrix/netscalersdx.conf.tmpl     | 11 +++
 package/etc/go_templates/source_network.t     | 14 ++++
 tests/test_citrix_netscaler.py                | 82 ++++++++++++++++---
 3 files changed, 95 insertions(+), 12 deletions(-)

diff --git a/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl b/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl
index ee9d403..068e380 100644
--- a/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl
+++ b/package/etc/conf.d/filters/citrix/netscalersdx.conf.tmpl
@@ -4,10 +4,21 @@ filter f_citrix_netscaler_sdx_message {
         flags(store-matches)
     );
 };
+filter f_citrix_netscaler_sdx_AAAmessage {
+    message(
+        '^(<\d{1,3}>) ?(\w{1,3} {1,2}\d{1,2} \d{2}:\d{2}:\d{2}) (\[\d+\]: AAA Message :.*)'
+        flags(store-matches)
+    );
+};
 
 rewrite r_citrix_netscaler_sdx_message {
     set("citrix_netscaler" value("fields.sc4s_syslog_format"));
     set("citrix_netscaler" value("fields.sc4s_vendor_product"));
     set("$5" value("HOST"));
     set("$3" value("MESSAGE"));
+};
+rewrite r_citrix_netscaler_sdx_AAAmessage {
+    set("citrix_netscaler" value("fields.sc4s_syslog_format"));
+    set("citrix_netscaler" value("fields.sc4s_vendor_product"));
+    set("$3" value("MESSAGE"));
 };
\ No newline at end of file
diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
index cdc1a2f..af318ab 100644
--- a/package/etc/go_templates/source_network.t
+++ b/package/etc/go_templates/source_network.t
@@ -125,6 +125,13 @@ source s_{{ .port_id }} {
                 template("$2"));
             };
             rewrite(r_citrix_netscaler_sdx_message);        
+        } elif {
+            filter(f_citrix_netscaler_sdx_AAAmessage);
+            parser { 
+                date-parser-nofilter(format('%b %d %H:%M:%S')
+                template("$2"));
+            };
+            rewrite(r_citrix_netscaler_sdx_AAAmessage);        
         };
 {{ else if eq .parser "cisco_ucm" }}
         parser (p_cisco_ucm_date);
@@ -157,6 +164,13 @@ source s_{{ .port_id }} {
                 template("$2"));
             };
             rewrite(r_citrix_netscaler_sdx_message);        
+        } elif {
+            filter(f_citrix_netscaler_sdx_AAAmessage);
+            parser { 
+                date-parser-nofilter(format('%b %d %H:%M:%S')
+                template("$2"));
+            };
+            rewrite(r_citrix_netscaler_sdx_AAAmessage);                            
         } elif {
             filter(f_f5_bigip_message);
             rewrite{
diff --git a/tests/test_citrix_netscaler.py b/tests/test_citrix_netscaler.py
index 812c7df..f212771 100644
--- a/tests/test_citrix_netscaler.py
+++ b/tests/test_citrix_netscaler.py
@@ -16,9 +16,11 @@
 
 env = Environment()
 
-#<12> 01/10/2001:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -
+# <12> 01/10/2001:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -
 def test_citrix_netscaler(record_property, setup_wordlist, setup_splunk, setup_sc4s):
-    host = "test-ctitrixns-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+    host = "test-ctitrixns-{}-{}".format(
+        random.choice(setup_wordlist), random.choice(setup_wordlist)
+    )
     pid = random.randint(1000, 32000)
 
     dt = datetime.datetime.now()
@@ -28,12 +30,18 @@ def test_citrix_netscaler(record_property, setup_wordlist, setup_splunk, setup_s
     time = dt.strftime("%d/%m/%Y:%H:%M:%S")
     epoch = epoch[:-7]
 
-    mt = env.from_string("{{ mark }} {{ time }} {{ tzname }} {{ host }} ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -\n")
-    message = mt.render(mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid)
+    mt = env.from_string(
+        "{{ mark }} {{ time }} {{ tzname }} {{ host }} ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -\n"
+    )
+    message = mt.render(
+        mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid
+    )
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search _time={{ epoch }} index=netfw host={{ host }} sourcetype=\"citrix:netscaler:syslog\"")
+    st = env.from_string(
+        'search _time={{ epoch }} index=netfw host={{ host }} sourcetype="citrix:netscaler:syslog"'
+    )
     search = st.render(epoch=epoch, host=host, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
@@ -45,9 +53,13 @@ def test_citrix_netscaler(record_property, setup_wordlist, setup_splunk, setup_s
     assert resultCount == 1
 
 
-#<134>Jun 18 18:18:42 svm_service: 1.1.1.1 18/06/2020:16:18:42 GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.55.1.100 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"
-def test_citrix_netscaler_sdx(record_property, setup_wordlist, setup_splunk, setup_sc4s):
-    host = "test-ctitrixns-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+# <134>Jun 18 18:18:42 svm_service: 1.1.1.1 18/06/2020:16:18:42 GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.55.1.100 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"
+def test_citrix_netscaler_sdx(
+    record_property, setup_wordlist, setup_splunk, setup_sc4s
+):
+    host = "test-ctitrixns-{}-{}".format(
+        random.choice(setup_wordlist), random.choice(setup_wordlist)
+    )
     pid = random.randint(1000, 32000)
 
     dt = datetime.datetime.now()
@@ -57,12 +69,18 @@ def test_citrix_netscaler_sdx(record_property, setup_wordlist, setup_splunk, set
     time = dt.strftime("%d/%m/%Y:%H:%M:%S")
     epoch = epoch[:-7]
 
-    mt = env.from_string('{{ mark }}{{ bsd }} svm_service: {{ host }} {{ time }} GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.1.1.1 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"\n')
-    message = mt.render(mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid)
+    mt = env.from_string(
+        '{{ mark }}{{ bsd }} svm_service: {{ host }} {{ time }} GMT : GUI CMD_EXECUTED : User nsroot - Remote_ip 10.1.1.1 - Command "login login tenant_name=Owner,password=***********,challenge_response=***********,token=1c81504d124245d,client_port=-1,cert_verified=false,sessionid=***********,session_timeout=900,permission=superuser" - Status "Done"\n'
+    )
+    message = mt.render(
+        mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid
+    )
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search _time={{ epoch }} index=netfw host={{ host }} sourcetype=\"citrix:netscaler:syslog\"")
+    st = env.from_string(
+        'search _time={{ epoch }} index=netfw host={{ host }} sourcetype="citrix:netscaler:syslog"'
+    )
     search = st.render(epoch=epoch, host=host, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
@@ -71,4 +89,44 @@ def test_citrix_netscaler_sdx(record_property, setup_wordlist, setup_splunk, set
     record_property("resultCount", resultCount)
     record_property("message", message)
 
-    assert resultCount == 1
\ No newline at end of file
+    assert resultCount == 1
+
+
+# [289]: AAA Message : In receive_ldap_user_search_event: ldap_first_entry returned null, user ssgconfig not found
+def test_citrix_netscaler_sdx_AAA(
+    record_property, setup_wordlist, setup_splunk, setup_sc4s
+):
+    host = "test-ctitrixns-{}-{}".format(
+        random.choice(setup_wordlist), random.choice(setup_wordlist)
+    )
+    pid = random.randint(1000, 32000)
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%d/%m/%Y:%H:%M:%S")
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} [289]: AAA Message : In receive_ldap_user_search_event: ldap_first_entry returned null, user {{ host }} not found\n"
+    )
+    message = mt.render(
+        mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid
+    )
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netfw {{ host }} sourcetype="citrix:netscaler:syslog"'
+    )
+    search = st.render(epoch=epoch, host=host, pid=pid)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+