From 4e7f9de2c7a571c3e35f30d81876e47170942e8e Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 20 Nov 2024 11:14:50 -0800 Subject: [PATCH] [citrix_adc] Support addition log message types and ECS mappings (#11781) Improve Citrix ADC integration log parsing and ECS mappings. Changes are: - Support "Mapped Ip" as value for Nat_Ip in all patterns in the sslvpn pipeline - Add support for additional "Message" subtypes, and add a "DATA" wildcard that will capture all patterns. All valid "Message" patterns are not known, so it's better to capture all without parsing individual fields than to cause an error. - Add addition ECS mappings for event.kind, event.outcome, observer.hostname - Calculate event.duration as the difference from event.start and event.end --- packages/citrix_adc/changelog.yml | 5 + ...trix-native-with-delink.json-expected.json | 10 +- .../test/pipeline/test-citrix-native.json | 48 ++-- .../test-citrix-native.json-expected.json | 272 +++++++++++++----- ...st-citrix-sslvpn-message.log-expected.json | 4 +- .../test-citrix-waf-cef.log-expected.json | 2 +- .../test-citrix-waf-native.log-expected.json | 232 ++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 11 + .../elasticsearch/ingest_pipeline/native.yml | 15 + .../sslvpn_and_aaatm_feature.yml | 18 +- packages/citrix_adc/manifest.yml | 2 +- 11 files changed, 508 insertions(+), 111 deletions(-) diff --git a/packages/citrix_adc/changelog.yml b/packages/citrix_adc/changelog.yml index 3dc7abd93a3..85c7ff66d49 100644 --- a/packages/citrix_adc/changelog.yml +++ b/packages/citrix_adc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: "Support parsing additional sslvpn log messages" + type: enhancement + link: https://github.com/elastic/integrations/pull/11781 - version: "1.11.0" changes: - description: "Improve timestamp parsing" diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json index d42deddd940..b90536fb448 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json @@ -26,6 +26,7 @@ "network" ], "id": "6715345", + "kind": "event", "original": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", "severity": 0, "timezone": "UTC", @@ -35,6 +36,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -95,6 +97,7 @@ ], "end": "2024-08-10T09:38:41.000Z", "id": "6715345", + "kind": "event", "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, "timezone": "UTC", @@ -104,6 +107,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -159,6 +163,7 @@ "network" ], "id": "6715345", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", "severity": 0, "timezone": "UTC", @@ -168,6 +173,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -228,6 +234,7 @@ ], "end": "2024-08-21T09:38:41.000Z", "id": "6715345", + "kind": "event", "original": "<131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, "timezone": "UTC", @@ -237,6 +244,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -267,4 +275,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json index a14d2d7a1aa..ce6a0427c94 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json @@ -12,73 +12,73 @@ "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN Message 600000 0 : Logout handler : starting 30sec timer after sending saml logout req to IdP, for user user_name \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN TCPCONNSTAT 600000 0 : Context user_name@domain.com@0.0.0.0 - SessionId: 343368 - User user_name - Client_ip 0.0.0.0 - Nat_ip 0.0.0.0 - Vserver 0.0.0.0:443 - Source 0.0.0.0:51607 - Destination 0.0.0.0:443 - Start_time \"11/06/2024:08:32:59\" - End_time \"11/06/2024:08:33:03\" - Duration 00:00:04 - Total_bytes_send 0 - Total_bytes_recv 378 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) \"N/A\" \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN HTTPREQUEST 600000 0 : Context user_name@domain.com@0.0.0.0 - SessionId: 342014 - subdomain.domain.com User user_name : Group(s) N/A : Vserver 0.0.0.0:443 - 11/06/2024:08:33:03 : SSO is ON : POST /Citrix/EXTFASWeb/Resources/GetLaunchStatus/QDQ2mj0ij09NPOAKJPOJl-- - - \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICASTART 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 0.0.0.0:62480 - Destination 0.0.0.0:2598 - customername - username:domainname username:domain - applicationName Developer Europe $P14189 - startTime \"11/06/2024:08:32:58\" - connectionId 16879892 \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=000bb24f-efd3-172a-9678-000d3ac7ec06] Source 0.0.0.0:51547 - Destination 0.0.0.0:2598 - customername - username:domainname username:domain - startTime \"11/06/2024:04:25:54\" - endTime \"11/06/2024:08:33:02\" - Duration 04:07:08 - Total_bytes_send 109566281 - Total_bytes_recv 32996419 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 1057494 \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGIN 600000 0 : Logout handler : Context user_name@domain.com@0.0.0.0 - SessionId: 343368 - User user_name - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Browser_type \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\" - SSLVPN_client_type ICA - Group(s) \"N/A\" \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGOUT 600000 0 : Logout handler : Context user_name@domain.com@0.0.0.0 - SessionId: 17790 - User user_name - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/06/2024:07:49:17\" - End_time \"11/06/2024:08:32:57\" - Duration 00:43:40 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 176 - Total_UDP_flows 0 - Total_policies_allowed 175 - Total_policies_denied 0 - Total_bytes_send 804 - Total_bytes_recv 3079180 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"TimedOut\" - Group(s) \"N/A\" \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN REMOVE_SESSION_DEBUG 600000 0 : Sessionid 13707 - User user_name - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver_ip 0.0.0.0 - Errmsg \"\" \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN Message 600000 0 : Logout handler : starting 30sec timer after sending saml logout req to IdP, for user \n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN TCPCONNSTAT 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 346153 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip 0.0.0.0 - Vserver 0.0.0.0:443 - Source 0.0.0.0:4595 - Destination 0.0.0.0:443 - Start_time \"11/08/2024:15:01:39\" - End_time \"11/08/2024:15:01:39\" - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 417 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) \"N/A\"\n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGIN 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 346153 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Browser_type \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0.0.0.0 Safari/537.36\" - SSLVPN_client_type ICA - Group(s) \"N/A\"\n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGOUT 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 352037 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/08/2024:11:14:19\" - End_time \"11/08/2024:11:46:32\" - Duration 00:32:13 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 67 - Total_UDP_flows 0 - Total_policies_allowed 67 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 1529833 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"TimedOut\" - Group(s) \"N/A\"\n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGOUT 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 351869 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/08/2024:10:37:13\" - End_time \"11/08/2024:10:43:39\" - Duration 00:06:26 - Http_resources_accessed 7 - NonHttp_services_accessed 0 - Total_TCP_connections 14 - Total_UDP_flows 0 - Total_policies_allowed 14 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 86130 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"Explicit\" - Group(s) \"N/A\"\n" }, - { + { "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : \n" + "message": "<134> 21/08/2024:13:25:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 \n" }, - { - "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : \n" + { + "@timestamp": "2024-11-18T12:18:56.000Z", + "message": "<134> 11/18/2024:12:18:56 GMT CITRIX-HOST 0-PPE-0 : default AAATM Message 7488570 0 : \"SAML: successfully verified digest and signature on saml:Response\"\n" }, - { - "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : \n" + { + "@timestamp": "2024-11-18T12:18:56.000Z", + "message": "<134> 11/18/2024:12:18:56 GMT CITRIX-HOST 0-PPE-0 : default AAATM Message 7488573 0 : \"aaatm_handler successfully parsed assertion client ip is fbe2s, username is UserName@domain.com\"\n" }, { - "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<134> 21/08/2024:13:25:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 \n" + "@timestamp": "2024-11-18T10:59:53.000Z", + "message": "<134> 11/18/2024:10:59:53 GMT HOSTNAME 0-PPE-2 : default SSLVPN LOGOUT 6918043 0 : User UserName@domain.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/18/2024:10:59:53 GMT\" - End_time \"11/18/2024:10:59:53 GMT\" - Duration 00:00:00 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"InternalError\" - Group(s) \"N/A\"\n" } - ] + ] } diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json index 6265f2c0c7b..2a7ee331edc 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json @@ -51,6 +51,7 @@ ], "end": "2024-08-10T09:38:41.000Z", "id": "6715345", + "kind": "event", "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, "timezone": "UTC", @@ -60,6 +61,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -115,6 +117,7 @@ "network" ], "id": "6715345", + "kind": "event", "original": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", "severity": 0, "timezone": "UTC", @@ -124,6 +127,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -159,6 +163,7 @@ "network" ], "id": "6715345", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", "severity": 0, "timezone": "UTC", @@ -168,6 +173,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -203,6 +209,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN Message 600000 0 : Logout handler : starting 30sec timer after sending saml logout req to IdP, for user user_name \n", "severity": 0, "timezone": "UTC", @@ -211,6 +218,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -283,8 +291,10 @@ "category": [ "authentication" ], + "duration": 4000000000, "end": "2024-06-11T08:33:03.000Z", "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN TCPCONNSTAT 600000 0 : Context user_name@domain.com@0.0.0.0 - SessionId: 343368 - User user_name - Client_ip 0.0.0.0 - Nat_ip 0.0.0.0 - Vserver 0.0.0.0:443 - Source 0.0.0.0:51607 - Destination 0.0.0.0:443 - Start_time \"11/06/2024:08:32:59\" - End_time \"11/06/2024:08:33:03\" - Duration 00:00:04 - Total_bytes_send 0 - Total_bytes_recv 378 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) \"N/A\" \n", "severity": 0, "start": "2024-06-11T08:32:59.000Z", @@ -297,6 +307,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -374,6 +385,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN HTTPREQUEST 600000 0 : Context user_name@domain.com@0.0.0.0 - SessionId: 342014 - subdomain.domain.com User user_name : Group(s) N/A : Vserver 0.0.0.0:443 - 11/06/2024:08:33:03 : SSO is ON : POST /Citrix/EXTFASWeb/Resources/GetLaunchStatus/QDQ2mj0ij09NPOAKJPOJl-- - - \n", "severity": 0, "timezone": "UTC", @@ -385,6 +397,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -455,6 +468,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICASTART 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 0.0.0.0:62480 - Destination 0.0.0.0:2598 - customername - username:domainname username:domain - applicationName Developer Europe $P14189 - startTime \"11/06/2024:08:32:58\" - connectionId 16879892 \n", "severity": 0, "start": "2024-06-11T08:32:58.000Z", @@ -464,6 +478,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -539,8 +554,10 @@ "category": [ "authentication" ], + "duration": 14828000000000, "end": "2024-06-11T08:33:02.000Z", "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=000bb24f-efd3-172a-9678-000d3ac7ec06] Source 0.0.0.0:51547 - Destination 0.0.0.0:2598 - customername - username:domainname username:domain - startTime \"11/06/2024:04:25:54\" - endTime \"11/06/2024:08:33:02\" - Duration 04:07:08 - Total_bytes_send 109566281 - Total_bytes_recv 32996419 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 1057494 \n", "severity": 0, "start": "2024-06-11T04:25:54.000Z", @@ -550,6 +567,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -616,6 +634,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGIN 600000 0 : Logout handler : Context user_name@domain.com@0.0.0.0 - SessionId: 343368 - User user_name - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Browser_type \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\" - SSLVPN_client_type ICA - Group(s) \"N/A\" \n", "severity": 0, "timezone": "UTC", @@ -627,6 +646,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -707,8 +727,10 @@ "category": [ "authentication" ], + "duration": 2620000000000, "end": "2024-06-11T08:32:57.000Z", "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGOUT 600000 0 : Logout handler : Context user_name@domain.com@0.0.0.0 - SessionId: 17790 - User user_name - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/06/2024:07:49:17\" - End_time \"11/06/2024:08:32:57\" - Duration 00:43:40 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 176 - Total_UDP_flows 0 - Total_policies_allowed 175 - Total_policies_denied 0 - Total_bytes_send 804 - Total_bytes_recv 3079180 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"TimedOut\" - Group(s) \"N/A\" \n", "severity": 0, "start": "2024-06-11T07:49:17.000Z", @@ -721,6 +743,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -783,6 +806,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN REMOVE_SESSION_DEBUG 600000 0 : Sessionid 13707 - User user_name - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver_ip 0.0.0.0 - Errmsg \"\" \n", "severity": 0, "timezone": "UTC", @@ -791,6 +815,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -840,6 +865,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN Message 600000 0 : Logout handler : starting 30sec timer after sending saml logout req to IdP, for user \n", "severity": 0, "timezone": "UTC", @@ -848,6 +874,7 @@ ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -920,8 +947,10 @@ "category": [ "authentication" ], + "duration": 0, "end": "2024-08-11T15:01:39.000Z", "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN TCPCONNSTAT 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 346153 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip 0.0.0.0 - Vserver 0.0.0.0:443 - Source 0.0.0.0:4595 - Destination 0.0.0.0:443 - Start_time \"11/08/2024:15:01:39\" - End_time \"11/08/2024:15:01:39\" - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 417 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) \"N/A\"\n", "severity": 0, "start": "2024-08-11T15:01:39.000Z", @@ -934,6 +963,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1006,6 +1036,7 @@ "authentication" ], "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGIN 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 346153 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Browser_type \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0.0.0.0 Safari/537.36\" - SSLVPN_client_type ICA - Group(s) \"N/A\"\n", "severity": 0, "timezone": "UTC", @@ -1017,6 +1048,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1097,8 +1129,10 @@ "category": [ "authentication" ], + "duration": 1933000000000, "end": "2024-08-11T11:46:32.000Z", "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGOUT 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 352037 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/08/2024:11:14:19\" - End_time \"11/08/2024:11:46:32\" - Duration 00:32:13 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 67 - Total_UDP_flows 0 - Total_policies_allowed 67 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 1529833 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"TimedOut\" - Group(s) \"N/A\"\n", "severity": 0, "start": "2024-08-11T11:14:19.000Z", @@ -1111,6 +1145,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1194,8 +1229,10 @@ "category": [ "authentication" ], + "duration": 386000000000, "end": "2024-08-11T10:43:39.000Z", "id": "600000", + "kind": "event", "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN LOGOUT 600000 0 : Context user_name@acme.com@0.0.0.0 - SessionId: 351869 - User user_name@acme.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/08/2024:10:37:13\" - End_time \"11/08/2024:10:43:39\" - Duration 00:06:26 - Http_resources_accessed 7 - NonHttp_services_accessed 0 - Total_TCP_connections 14 - Total_UDP_flows 0 - Total_policies_allowed 14 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 86130 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"Explicit\" - Group(s) \"N/A\"\n", "severity": 0, "start": "2024-08-11T10:37:13.000Z", @@ -1208,6 +1245,7 @@ "name": "N/A" }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1236,14 +1274,47 @@ } }, { - "@timestamp": "2024-08-21T09:38:41.000Z", + "@timestamp": "2024-08-21T13:25:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : ", + "detail": "<134> 21/08/2024:13:25:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 ", "device_event_class_id": "SSLVPN", + "extended": { + "message": "[TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 " + }, "host": "SYSLOGHOST", - "name": "CHANGEME" + "name": "ICAEND_CONNSTAT" + }, + "citrix_adc": { + "log": { + "compression_ratio_recieved": 0.0, + "compression_ratio_send": 0.0, + "connection_id": "20459456", + "destination": { + "ip": "10.0.10.75", + "port": 2598 + }, + "domain_name": "domain_name", + "duration": "00:06:26", + "end_time": "2024-08-11T10:43:39.000Z", + "message": "[TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 ", + "source": { + "ip": "67.43.156.1", + "port": 50385 + }, + "start_time": "2024-08-11T10:37:13.000Z", + "total_bytes_received": 2761789, + "total_bytes_send": 8379078, + "total_compressed_bytes_recieved": 0, + "total_compressed_bytes_send": 0, + "username": "user_name" + } + }, + "destination": { + "bytes": 2761789, + "ip": "10.0.10.75", + "port": 2598 }, "ecs": { "version": "8.11.0" @@ -1252,50 +1323,95 @@ "category": [ "authentication" ], + "duration": 386000000000, + "end": "2024-08-11T10:43:39.000Z", "id": "600000", - "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : \n", + "kind": "event", + "original": "<134> 21/08/2024:13:25:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 \n", "severity": 0, + "start": "2024-08-11T10:37:13.000Z", "timezone": "UTC", "type": [ "info" ] }, "observer": { + "hostname": "SYSLOGHOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" }, + "related": { + "ip": [ + "67.43.156.1", + "10.0.10.75" + ], + "user": [ + "user_name" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "bytes": 8379078, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.1", + "port": 50385 + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "domain_name", + "name": "user_name" + } }, { - "@timestamp": "2024-08-21T09:38:41.000Z", + "@timestamp": "2024-11-18T12:18:56.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : ", - "device_event_class_id": "SSLVPN", - "host": "SYSLOGHOST", - "name": "CHANGEME" + "detail": "<134> 11/18/2024:12:18:56 GMT CITRIX-HOST 0-PPE-0 : default AAATM Message 7488570 0 : \"SAML: successfully verified digest and signature on saml:Response\"", + "device_event_class_id": "AAATM", + "extended": { + "message": "SAML: successfully verified digest and signature on saml:Response" + }, + "host": "CITRIX-HOST", + "name": "Message" + }, + "citrix_adc": { + "log": { + "message": "SAML: successfully verified digest and signature on saml:Response" + } }, "ecs": { "version": "8.11.0" }, "event": { "category": [ - "authentication" + "network" ], - "id": "600000", - "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : \n", + "id": "7488570", + "kind": "event", + "original": "<134> 11/18/2024:12:18:56 GMT CITRIX-HOST 0-PPE-0 : default AAATM Message 7488570 0 : \"SAML: successfully verified digest and signature on saml:Response\"\n", "severity": 0, - "timezone": "UTC", + "timezone": "GMT", "type": [ "info" ] }, "observer": { + "hostname": "CITRIX-HOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1306,31 +1422,41 @@ ] }, { - "@timestamp": "2024-08-21T09:38:41.000Z", + "@timestamp": "2024-11-18T12:18:56.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : ", - "device_event_class_id": "SSLVPN", - "host": "SYSLOGHOST", - "name": "CHANGEME" + "detail": "<134> 11/18/2024:12:18:56 GMT CITRIX-HOST 0-PPE-0 : default AAATM Message 7488573 0 : \"aaatm_handler successfully parsed assertion client ip is fbe2s, username is UserName@domain.com\"", + "device_event_class_id": "AAATM", + "extended": { + "message": "aaatm_handler successfully parsed assertion client ip is fbe2s, username is UserName@domain.com" + }, + "host": "CITRIX-HOST", + "name": "Message" + }, + "citrix_adc": { + "log": { + "message": "aaatm_handler successfully parsed assertion client ip is fbe2s, username is UserName@domain.com" + } }, "ecs": { "version": "8.11.0" }, "event": { "category": [ - "authentication" + "network" ], - "id": "600000", - "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default SSLVPN CHANGEME 600000 0 : \n", + "id": "7488573", + "kind": "event", + "original": "<134> 11/18/2024:12:18:56 GMT CITRIX-HOST 0-PPE-0 : default AAATM Message 7488573 0 : \"aaatm_handler successfully parsed assertion client ip is fbe2s, username is UserName@domain.com\"\n", "severity": 0, - "timezone": "UTC", + "timezone": "GMT", "type": [ "info" ] }, "observer": { + "hostname": "CITRIX-HOST", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1341,47 +1467,51 @@ ] }, { - "@timestamp": "2024-08-21T13:25:41.000Z", + "@timestamp": "2024-11-18T10:59:53.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<134> 21/08/2024:13:25:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 ", + "detail": "<134> 11/18/2024:10:59:53 GMT HOSTNAME 0-PPE-2 : default SSLVPN LOGOUT 6918043 0 : User UserName@domain.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/18/2024:10:59:53 GMT\" - End_time \"11/18/2024:10:59:53 GMT\" - Duration 00:00:00 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"InternalError\" - Group(s) \"N/A\"", "device_event_class_id": "SSLVPN", "extended": { - "message": "[TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 " + "message": "User UserName@domain.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/18/2024:10:59:53 GMT\" - End_time \"11/18/2024:10:59:53 GMT\" - Duration 00:00:00 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"InternalError\" - Group(s) \"N/A\"" }, - "host": "SYSLOGHOST", - "name": "ICAEND_CONNSTAT" + "host": "HOSTNAME", + "name": "LOGOUT" }, "citrix_adc": { "log": { + "client_ip": "0.0.0.0", "compression_ratio_recieved": 0.0, "compression_ratio_send": 0.0, - "connection_id": "20459456", - "destination": { - "ip": "10.0.10.75", - "port": 2598 - }, - "domain_name": "domain_name", - "duration": "00:06:26", - "end_time": "2024-08-11T10:43:39.000Z", - "message": "[TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 ", - "source": { - "ip": "67.43.156.1", - "port": 50385 - }, - "start_time": "2024-08-11T10:37:13.000Z", - "total_bytes_received": 2761789, - "total_bytes_send": 8379078, + "duration": "00:00:00", + "end_time": "2024-11-18T10:59:53.000Z", + "groups": "N/A", + "http_resources_accessed": "0", + "logout_method": "InternalError", + "message": "User UserName@domain.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/18/2024:10:59:53 GMT\" - End_time \"11/18/2024:10:59:53 GMT\" - Duration 00:00:00 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"InternalError\" - Group(s) \"N/A\"", + "non_http_services_accessed": "0", + "start_time": "2024-11-18T10:59:53.000Z", + "total_bytes_received": 0, + "total_bytes_send": 0, "total_compressed_bytes_recieved": 0, "total_compressed_bytes_send": 0, - "username": "user_name" + "total_policies_allowed": 0, + "total_policies_denied": 0, + "total_tcp_connections": 0, + "total_udp_flows": 0, + "user": "UserName@domain.com", + "vserver": { + "ip": "0.0.0.0", + "port": 443 + } } }, + "client": { + "ip": "0.0.0.0" + }, "destination": { - "bytes": 2761789, - "ip": "10.0.10.75", - "port": 2598 + "bytes": 0 }, "ecs": { "version": "8.11.0" @@ -1390,55 +1520,49 @@ "category": [ "authentication" ], - "end": "2024-08-11T10:43:39.000Z", - "id": "600000", - "original": "<134> 21/08/2024:13:25:41 SYSLOGHOST 0-PPE-1 : default SSLVPN ICAEND_CONNSTAT 600000 0 : [TCP] [CGP][ICAUUID=00033ef4-29bb-172b-9678-0022480fced0] Source 67.43.156.1:50385 - Destination 10.0.10.75:2598 - customername - username:domainname user_name:domain_name - startTime \"11/08/2024:10:37:13 \" - endTime \"11/08/2024:10:43:39 \" - Duration 00:06:26 - Total_bytes_send 8379078 - Total_bytes_recv 2761789 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 20459456 \n", + "duration": 0, + "end": "2024-11-18T10:59:53.000Z", + "id": "6918043", + "kind": "event", + "original": "<134> 11/18/2024:10:59:53 GMT HOSTNAME 0-PPE-2 : default SSLVPN LOGOUT 6918043 0 : User UserName@domain.com - Client_ip 0.0.0.0 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:443 - Start_time \"11/18/2024:10:59:53 GMT\" - End_time \"11/18/2024:10:59:53 GMT\" - Duration 00:00:00 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"InternalError\" - Group(s) \"N/A\"\n", "severity": 0, - "start": "2024-08-11T10:37:13.000Z", - "timezone": "UTC", + "start": "2024-11-18T10:59:53.000Z", + "timezone": "GMT", "type": [ "info" ] }, + "group": { + "name": "N/A" + }, "observer": { + "hostname": "HOSTNAME", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" }, "related": { "ip": [ - "67.43.156.1", - "10.0.10.75" + "0.0.0.0" ], "user": [ - "user_name" + "UserName@domain.com" ] }, + "server": { + "ip": "0.0.0.0", + "port": 443 + }, "source": { - "as": { - "number": 35908 - }, - "bytes": 8379078, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.1", - "port": 50385 + "bytes": 0 }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" ], "user": { - "domain": "domain_name", - "name": "user_name" + "name": "UserName@domain.com" } } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json index 7c8b9e58fca..8e7cf37081f 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json @@ -26,6 +26,7 @@ "authentication" ], "id": "30461998", + "kind": "event", "original": "<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : \"[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400\"", "severity": 0, "timezone": "UTC", @@ -34,6 +35,7 @@ ] }, "observer": { + "hostname": "PRODSY3VPX01", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -44,4 +46,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json index 84422a50747..73a9ff1efe8 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json @@ -840,4 +840,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json index 1b697a61d5a..475f2d703a0 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -43,6 +43,7 @@ "network" ], "id": "60", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : default APPFW APPFW_cross-site scripting 60 0 : 175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area=\"Bad tag: script\" ", "severity": 0, "timezone": "GMT", @@ -51,6 +52,7 @@ ] }, "observer": { + "hostname": "ns", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -106,6 +108,7 @@ "network" ], "id": "5743593", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"RC4-MD5 TLSv1.2 Non-Export 128-bit\" - Session Reuse", "severity": 0, "timezone": "GMT", @@ -114,6 +117,7 @@ ] }, "observer": { + "hostname": "citrix.netscaler.test", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -206,6 +210,7 @@ ], "end": "2014-10-06T14:03:23.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", "severity": 0, "timezone": "GMT", @@ -215,6 +220,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -303,8 +309,10 @@ "category": [ "network" ], + "duration": 47000000000, "end": "2014-10-06T14:03:30.000Z", "id": "4472", + "kind": "event", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, "start": "2014-10-06T14:02:43.000Z", @@ -315,6 +323,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -396,8 +405,10 @@ "category": [ "network" ], + "duration": 45000000000, "end": "2014-10-06T14:03:30.000Z", "id": "4473", + "kind": "event", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, "start": "2014-10-06T14:02:45.000Z", @@ -408,6 +419,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -489,8 +501,10 @@ "category": [ "network" ], + "duration": 44000000000, "end": "2014-10-06T14:03:30.000Z", "id": "4474", + "kind": "event", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, "start": "2014-10-06T14:02:46.000Z", @@ -501,6 +515,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -590,6 +605,7 @@ ], "end": "2022-06-14T16:05:04.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", "severity": 0, "timezone": "GMT", @@ -599,6 +615,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -686,8 +703,10 @@ "category": [ "network" ], + "duration": 300000000000, "end": "2023-04-01T11:05:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", "severity": 0, "start": "2023-04-01T11:00:00.000Z", @@ -698,6 +717,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -787,6 +807,7 @@ ], "end": "2023-04-01T12:00:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400", "severity": 0, "timezone": "GMT", @@ -796,6 +817,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -893,8 +915,10 @@ "category": [ "network" ], + "duration": 300000000000, "end": "2023-04-01T11:05:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", "reason": "Client Reset", "severity": 0, @@ -906,6 +930,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -999,8 +1024,10 @@ "category": [ "network" ], + "duration": 300000000000, "end": "2023-04-01T11:05:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", "reason": "Timeout", "severity": 0, @@ -1012,6 +1039,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1099,6 +1127,7 @@ ], "code": "0", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data", "severity": 0, "timezone": "GMT", @@ -1110,6 +1139,7 @@ "protocol": "icmp" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1191,6 +1221,7 @@ ], "code": "1", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL6_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data", "severity": 0, "timezone": "GMT", @@ -1202,6 +1233,7 @@ "protocol": "icmp" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1281,6 +1313,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_QUERY 4471 0 : Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated ", "reason": "UserAuthenticated ", "severity": 0, @@ -1290,6 +1323,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1377,6 +1411,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_RESPONSE 4471 0 : Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked ", "reason": "CategoryBlocked ", "severity": 0, @@ -1386,6 +1421,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1473,6 +1509,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_ERROR 4471 0 : Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved ", "reason": "AdminApproved ", "severity": 0, @@ -1482,6 +1519,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1591,6 +1629,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_SIP_INFO_PACKET_EVENT 4471 0 : Infomsg: \"SIP request received\" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org -", "severity": 0, "timezone": "GMT", @@ -1611,6 +1650,7 @@ "transport": "udp" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1689,6 +1729,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_RTSP_INFO_DELETE_CALL_PACKET_EVENT 4471 0 : Infomsg: \"Log info RTSP ALG call deletion\" - Group: RTSPALG - Session_ID: session123 -", "severity": 0, "timezone": "GMT", @@ -1701,6 +1742,7 @@ }, "message": "Log info RTSP ALG call deletion", "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1770,6 +1812,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : URLFILT URLFILT_LOG 4471 0 : Source 192.168.1.100 - Destination 1.128.0.0 URL www.example.com/page - Category Technology - Categorygroup Internet - Reputation 3 - Policyaction ALLOW", "severity": 0, "timezone": "GMT", @@ -1778,6 +1821,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1868,6 +1912,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI ICAP_LOG 4471 0 : Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY", "severity": 0, "timezone": "GMT", @@ -1881,6 +1926,7 @@ } }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -1979,6 +2025,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI INLINE_INSPECTION_LOG 4471 0 : ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344", "severity": 0, "timezone": "GMT", @@ -1990,6 +2037,7 @@ "protocol": "https" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2095,6 +2143,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI TRAFFIC_MIRROR_LOG 4471 0 : ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344", "severity": 0, "timezone": "GMT", @@ -2106,6 +2155,7 @@ "protocol": "ssh" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2184,6 +2234,7 @@ "process" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", "outcome": "success", "severity": 0, @@ -2193,6 +2244,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2262,6 +2314,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGIN 4471 0 : User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type \"Chrome\" - SSLVPN_client_type NetScalerPlugin - Group(s) \"IT,RemoteWorkers\"", "severity": 0, "timezone": "GMT", @@ -2273,6 +2326,7 @@ "name": "IT,RemoteWorkers" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2362,8 +2416,10 @@ "category": [ "authentication" ], + "duration": 14400000000000, "end": "2023-04-01T12:00:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGOUT 4471 0 : User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"", "severity": 0, "start": "2023-04-01T08:00:00.000Z", @@ -2376,6 +2432,7 @@ "name": "HR,Finance" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2472,6 +2529,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICASTART 4471 0 : Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c", "severity": 0, "start": "2023-04-01T09:00:00.000Z", @@ -2481,6 +2539,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2580,8 +2639,10 @@ "category": [ "authentication" ], + "duration": 2700000000000, "end": "2023-04-01T09:45:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", "severity": 0, "start": "2023-04-01T09:00:00.000Z", @@ -2591,6 +2652,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2682,8 +2744,10 @@ "category": [ "authentication" ], + "duration": 3600000000000, "end": "2023-04-01T11:00:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONNSTAT 4471 0 : User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", "severity": 0, "start": "2023-04-01T10:00:00.000Z", @@ -2696,6 +2760,7 @@ "name": "Developers,QA" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2772,6 +2837,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONN_TIMEDOUT 4471 0 : User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact \"2023-04-01T13:00:00Z\" - Group(s) \"Sales,Marketing\"", "severity": 0, "timezone": "GMT", @@ -2783,6 +2849,7 @@ "name": "Sales,Marketing" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2872,8 +2939,10 @@ "category": [ "authentication" ], + "duration": 3600000000000, "end": "2023-04-01T15:00:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN UDPFLOWSTAT 4471 0 : User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", "severity": 0, "start": "2023-04-01T14:00:00.000Z", @@ -2886,6 +2955,7 @@ "name": "Management,Executives" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -2964,6 +3034,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN NONHTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"SecurityPolicy\"", "severity": 0, "timezone": "GMT", @@ -2972,6 +3043,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3029,6 +3101,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"UnauthorizedAccessAttempt\"", "severity": 0, "timezone": "GMT", @@ -3037,6 +3110,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3098,6 +3172,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LICLMT_REACHED 4471 0 : Vserver 1.128.0.0:443 - License_limit 500", "severity": 0, "timezone": "GMT", @@ -3106,6 +3181,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3163,6 +3239,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_CHECK 4471 0 : Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression \"geoLocationBlocked\" -", "severity": 0, "timezone": "GMT", @@ -3171,6 +3248,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3227,6 +3305,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_EXP_EVAL 4471 0 : User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine", "severity": 0, "timezone": "GMT", @@ -3235,6 +3314,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3304,6 +3384,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN STA_VALIDATE_RESP 4471 0 : Xdatalen 1024 - Xdata PayloadWithSensitiveInformation", "severity": 0, "timezone": "GMT", @@ -3312,6 +3393,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3376,6 +3458,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_FAILURE 4471 0 : Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite \"ECDHE-RSA-AES256-GCM-SHA384\" - Session 0x12a7bf", "severity": 0, "timezone": "GMT", @@ -3384,6 +3467,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3462,6 +3546,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 4471 0 : Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite \"TLS_AES_128_GCM_SHA256\" - Session 0x12a7c0", "severity": 0, "timezone": "GMT", @@ -3470,6 +3555,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3542,6 +3628,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CERT_EXPIRY_IMMINENT 4471 0 : Certificate Key Pair RSA2048 - Days To Expire 365", "severity": 0, "timezone": "GMT", @@ -3550,6 +3637,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3608,6 +3696,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_ISSUERNAME 4471 0 : SPCBId 512 - Issuer Name \"CN=Example CA, O=Example Organization, C=US\"", "severity": 0, "timezone": "GMT", @@ -3616,6 +3705,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3679,6 +3769,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUBJECTNAME 4471 0 : SPCBId 1024 - Subject Name \"CN=www.example.com, O=Example Company, C=US\"", "severity": 0, "timezone": "GMT", @@ -3687,6 +3778,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3755,6 +3847,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_SUCCESS 4471 0 : crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB", "severity": 0, "timezone": "GMT", @@ -3768,6 +3861,7 @@ } }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3842,6 +3936,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_FAILURE 4471 0 : crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE", "severity": 0, "timezone": "GMT", @@ -3855,6 +3950,7 @@ } }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3924,6 +4020,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_SUCCESS 4471 0 : Domainname example.com Ipaddress 1.128.0.0", "severity": 0, "timezone": "GMT", @@ -3932,6 +4029,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -3994,6 +4092,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_FAILURE 4471 0 : Domainname example.net Ipaddress 1.128.0.0", "severity": 0, "timezone": "GMT", @@ -4002,6 +4101,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4062,6 +4162,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_EVENT 4471 0 : Session 12345", "severity": 0, "timezone": "GMT", @@ -4070,6 +4171,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4126,6 +4228,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_FAILURE 4471 0 : Failure Reason: CredentialsInvalid", "reason": "CredentialsInvalid", "severity": 0, @@ -4135,6 +4238,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4182,6 +4286,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA LOGIN_FAILED 4471 0 : User john.doe - Client_ip 192.168.1.104 - Failure_reason \"Invalid password\" - Browser Chrome", "outcome": "failure", "reason": "Invalid password", @@ -4192,6 +4297,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4261,6 +4367,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA EXTRACTED_GROUPS 4471 0 : Extracted_groups \"Engineering,Staff\"", "severity": 0, "timezone": "GMT", @@ -4272,6 +4379,7 @@ "name": "Engineering,Staff" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4329,6 +4437,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_XMLPAYLOAD_CONTENT_TYPE_MISMATCH 4471 0 : XML Mismatched content-type in HTTP header detected = \"text/plain\".", "severity": 0, "timezone": "GMT", @@ -4337,6 +4446,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4394,6 +4504,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DENYURL 4471 0 : Disallow Deny URL for rule pattern = \"http://example.com/badpath\".", "severity": 0, "timezone": "GMT", @@ -4402,6 +4513,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4465,6 +4577,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_CONTENT_TYPE 4471 0 : Unknown content-type header value = \"application/unknown\".", "severity": 0, "timezone": "GMT", @@ -4473,6 +4586,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4530,6 +4644,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REFERER_HEADER 4471 0 : parsing referer header 'http://malicious.com' failed", "severity": 0, "timezone": "GMT", @@ -4543,6 +4658,7 @@ } }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4603,6 +4719,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_URL 4471 0 : URL length(2150) is greater than maximum allowed(2048).", "severity": 0, "timezone": "GMT", @@ -4611,6 +4728,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4671,6 +4789,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_COOKIE 4471 0 : Cookie header length(1025) is greater than maximum allowed(1000).", "severity": 0, "timezone": "GMT", @@ -4679,6 +4798,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4739,6 +4859,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_HDR 4471 0 : Header(Referer) length(550) is greater than maximum allowed(512).", "severity": 0, "timezone": "GMT", @@ -4747,6 +4868,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4807,6 +4929,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_QUERY 4471 0 : Query string length(1150) is greater than maximum allowed(1024).", "severity": 0, "timezone": "GMT", @@ -4815,6 +4938,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4875,6 +4999,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_TOTAL_HDR 4471 0 : Total HTTP header length(4600) is greater than maximum allowed(4096).", "severity": 0, "timezone": "GMT", @@ -4883,6 +5008,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -4940,6 +5066,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_TO_PROFILE 4471 0 : Profile: UserAccount", "severity": 0, "timezone": "GMT", @@ -4948,6 +5075,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5005,6 +5133,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_XML_TO_PROFILE 4471 0 : Profile: AdminSettings", "severity": 0, "timezone": "GMT", @@ -5013,6 +5142,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5070,6 +5200,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_FIELDTYPE 4471 0 : Field Type: String", "severity": 0, "timezone": "GMT", @@ -5078,6 +5209,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5135,6 +5267,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_PROFILE 4471 0 : Profile: SecurityConfig", "severity": 0, "timezone": "GMT", @@ -5143,6 +5276,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5200,6 +5334,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_FIELDTYPE 4471 0 : Field Type: Integer", "severity": 0, "timezone": "GMT", @@ -5208,6 +5343,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5265,6 +5401,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_PROFILE 4471 0 : Profile: NetworkPreferences", "severity": 0, "timezone": "GMT", @@ -5273,6 +5410,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5330,6 +5468,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_CFFIELD 4471 0 : Field Name: Username", "severity": 0, "timezone": "GMT", @@ -5338,6 +5477,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5395,6 +5535,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_CFFIELD 4471 0 : Field Name: Password", "severity": 0, "timezone": "GMT", @@ -5403,6 +5544,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5460,6 +5602,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_MEMORY_ERR 4471 0 : Content length is too large(4294967296 Bytes). Memory Allocation failed.", "severity": 0, "timezone": "GMT", @@ -5468,6 +5611,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5525,6 +5669,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_SIGNATURE_ERR 4471 0 : Signature id 429 contains no fast match pattern", "severity": 0, "timezone": "GMT", @@ -5533,6 +5678,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5590,6 +5736,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_SESSIONLIMIT 4471 0 : Appfw maximum session Limit reached for PEID 42", "severity": 0, "timezone": "GMT", @@ -5598,6 +5745,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5655,6 +5803,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_RFCPROFILE 4471 0 : APPFW RFC Profile: WebApplicationSecurity", "severity": 0, "timezone": "GMT", @@ -5663,6 +5812,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5720,6 +5870,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_RFCPROFILE 4471 0 : APPFW RFC Profile: APIGatewaySecurity", "severity": 0, "timezone": "GMT", @@ -5728,6 +5879,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5785,6 +5937,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_NEW_SIGNATURE_ADDED 4471 0 : New signature available: RuleID = 101", "severity": 0, "timezone": "GMT", @@ -5793,6 +5946,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5855,6 +6009,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DEPLOY_RELAXATION_DP 4471 0 : Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles", "severity": 0, "timezone": "GMT", @@ -5863,6 +6018,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5919,6 +6075,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_EVENT 4471 0 : User Name: JohnDoe", "severity": 0, "timezone": "GMT", @@ -5927,6 +6084,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -5989,6 +6147,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_CONNECTION_EVENT 4471 0 : User Name: JaneSmith", "severity": 0, "timezone": "GMT", @@ -5997,6 +6156,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6071,6 +6231,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_SETUP 4471 0 : session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1", "severity": 0, "timezone": "GMT", @@ -6079,6 +6240,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6160,6 +6322,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA CHANNEL_UPDATE 4471 0 : session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50", "severity": 0, "timezone": "GMT", @@ -6168,6 +6331,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6247,6 +6411,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_UPDATE 4471 0 : session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 -", "severity": 0, "timezone": "GMT", @@ -6255,6 +6420,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6340,6 +6506,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA L7_LATENCY_UPDATE 4471 0 : session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 -", "severity": 0, "timezone": "GMT", @@ -6348,6 +6515,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6409,6 +6577,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_TERMINATE 4471 0 : session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z", "severity": 0, "timezone": "GMT", @@ -6417,6 +6586,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6493,6 +6663,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA NETWORK_UPDATE 4471 0 : session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3", "severity": 0, "timezone": "GMT", @@ -6501,6 +6672,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6572,6 +6744,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_LAUNCH 4471 0 : session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp", "severity": 0, "timezone": "GMT", @@ -6580,6 +6753,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6645,6 +6819,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_TERMINATE 4471 0 : session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z", "severity": 0, "timezone": "GMT", @@ -6653,6 +6828,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6714,6 +6890,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGIN 4471 0 : User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type \"Firefox\" - Group(s) \"Admin,IT\"", "severity": 0, "timezone": "GMT", @@ -6725,6 +6902,7 @@ "name": "Admin,IT" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6816,8 +6994,10 @@ "category": [ "network" ], + "duration": 3600000000000, "end": "2023-04-04T09:30:00.000Z", "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGOUT 4471 0 : User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"", "severity": 0, "start": "2023-04-04T08:30:00.000Z", @@ -6830,6 +7010,7 @@ "name": "HR,Finance" }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6904,6 +7085,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"AccessRestriction\"", "severity": 0, "timezone": "GMT", @@ -6912,6 +7094,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -6969,6 +7152,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_INPUT_URL 4471 0 : HTML_URL https://example.com/page", "severity": 0, "timezone": "GMT", @@ -6977,6 +7161,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7040,6 +7225,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_REWRITTEN_URL 4471 0 : REWRITTEN_URL https://example.com/proxy?url=page", "severity": 0, "timezone": "GMT", @@ -7048,6 +7234,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7112,6 +7299,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_MATCHED_URL 4471 0 : MATCHED_URL https://example.com/assets/image.jpg", "severity": 0, "timezone": "GMT", @@ -7120,6 +7308,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7182,6 +7371,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM ACTION_MISMATCH 4471 0 : Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High", "severity": 0, "timezone": "GMT", @@ -7190,6 +7380,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7245,6 +7436,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM PCRE_ERROR 4471 0 : Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5", "severity": 0, "timezone": "GMT", @@ -7253,6 +7445,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7306,6 +7499,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM REQ_WRITE_ERROR 4471 0 : Client 1.128.0.0 - Profile Gateway - Failed to write Location request header", "severity": 0, "timezone": "GMT", @@ -7314,6 +7508,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7372,6 +7567,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : BOT BOT_SIG_AUTO_UPDATE 4471 0 : Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2", "severity": 0, "timezone": "GMT", @@ -7380,6 +7576,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7437,6 +7634,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Adding pitboss watch on (1024)", "severity": 0, "timezone": "GMT", @@ -7445,6 +7643,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7502,6 +7701,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Deleting watch on (2048)", "severity": 0, "timezone": "GMT", @@ -7510,6 +7710,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7571,6 +7772,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_SYSTEM_RESTART 4471 0 : proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system", "severity": 0, "timezone": "GMT", @@ -7579,6 +7781,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7642,6 +7845,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_PROCESS_RESTART 4471 0 : Restarting process old pid (8192) action (respawn)", "severity": 0, "timezone": "GMT", @@ -7650,6 +7854,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7712,6 +7917,7 @@ "network" ], "id": "37819", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite \"TLS1.3-AES256-GCM-SHA384\" - Session New - HandshakeTime 55 ms", "severity": 0, "timezone": "GMT", @@ -7720,6 +7926,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7800,6 +8007,7 @@ "network" ], "id": "37819", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite \"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\" - Session New - SERVER_AUTHENTICATED -SerialNumber \"12CF1F64F01429F7\" - SignatureAlgorithm \"sha256WithRSAEncryption\" - ValidFrom \"Apr 20 07:46:28 2023 GMT\" - ValidTo \"May 1 20:22:03 2024 GMT\" - HandshakeTime 8 ms", "severity": 0, "timezone": "GMT", @@ -7808,6 +8016,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7877,6 +8086,7 @@ "network" ], "id": "39207", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 39207 0 : SPCBId 3376283 - IssuerName \" C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2\"", "severity": 0, "timezone": "GMT", @@ -7885,6 +8095,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -7953,6 +8164,7 @@ "network" ], "id": "31626", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 31626 0 : SPCBId 2558141 - ClientIP 1.128.0.0 - ClientPort 54686 - VserverServiceIP 1.128.0.1 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \"NA\"Session New - Reason \"Wrong protocol version in the message\"", "reason": "Wrong protocol version in the message", "severity": 0, @@ -7962,6 +8174,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8038,6 +8251,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - -", "severity": 0, "timezone": "GMT", @@ -8049,6 +8263,7 @@ "name": "N/A" }, "observer": { + "hostname": "ns", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8129,6 +8344,7 @@ "authentication" ], "id": "4471", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - -", "severity": 0, "timezone": "GMT", @@ -8140,6 +8356,7 @@ "name": "N/A" }, "observer": { + "hostname": "ns", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8240,8 +8457,10 @@ "category": [ "authentication" ], + "duration": 27000000000, "end": "2022-06-14T16:18:18.000Z", "id": "4471", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", "severity": 0, "start": "2022-06-14T16:17:51.000Z", @@ -8251,6 +8470,7 @@ ] }, "observer": { + "hostname": "ns", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8332,6 +8552,7 @@ "process" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", "outcome": "success", "severity": 0, @@ -8341,6 +8562,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8412,6 +8634,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", "severity": 0, "timezone": "GMT", @@ -8420,6 +8643,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8485,6 +8709,7 @@ "network" ], "id": "4471", + "kind": "event", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", "severity": 0, "timezone": "GMT", @@ -8493,6 +8718,7 @@ ] }, "observer": { + "hostname": "ns1", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8572,6 +8798,7 @@ "authentication" ], "id": "152923587", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", "severity": 0, "timezone": "GMT", @@ -8583,6 +8810,7 @@ "name": "N/A" }, "observer": { + "hostname": "ns", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8669,6 +8897,7 @@ "authentication" ], "id": "152923587", + "kind": "event", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", "severity": 0, "timezone": "GMT", @@ -8680,6 +8909,7 @@ "name": "N/A" }, "observer": { + "hostname": "ns", "product": "Netscaler", "type": "firewall", "vendor": "Citrix" @@ -8709,4 +8939,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 325524359ab..64ce0335861 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -264,6 +264,16 @@ processors: copy_from: citrix_adc.log.end_time ignore_empty_value: true + - script: + lang: painless + description: Calculates duration from event.start and event.end, as its easer than parsing citrix_adc.log.duration + if: ctx?.event?.start != null && ctx?.event?.end != null && ctx?.event?.duration == null + source: >- + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + tag: calculate_event_duration + - geoip: field: client.ip tag: geoip_client_ip_to_client_geo @@ -274,6 +284,7 @@ processors: tag: geoip_source_ip_to_source_geo target_field: source.geo ignore_missing: true + # IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml index ea6bec4fe57..7bb3d016680 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml @@ -240,6 +240,21 @@ processors: tag: set_user_name_from_username copy_from: citrix_adc.log.username ignore_empty_value: true + - set: + field: event.kind + value: event + - set: + field: event.outcome + value: success + if: ctx?.event?.outcome == null && ctx?.event?.category == "authentication" && ctx?.citrix_adc?.log?.access == "Allowed" + - set: + field: event.outcome + value: failure + if: ctx?.event?.outcome == null && ctx?.event?.category == "authentication" && ctx?.citrix_adc?.log?.access != "Allowed" + - set: + field: observer.hostname + copy_from: citrix.host + ignore_empty_value: true - convert: field: citrix_adc.log.reputation tag: convert_reputation_to_long diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml index e438824523a..5973722c593 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml @@ -7,16 +7,16 @@ processors: if: 'ctx.citrix.name == "LOGIN"' field: citrix.extended.message patterns: - - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type "%{DATA:citrix_adc.log.browser_type}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type "%{DATA:citrix_adc.log.browser_type}" - SSLVPN_client_type %{DATA:citrix_adc.log.sslvpn_client_type} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - - '^(Logout handler : )?Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - (Nat_ip %{IP:citrix_adc.log.nat.ip}|Nat_ip "%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type "%{DATA:citrix_adc.log.browser_type}" - (SSLVPN_client_type %{WORD:citrix_adc.log.sslvpn_client_type} - )?Group\(s\) "%{DATA:citrix_adc.log.groups}" ?' + - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type "%{DATA:citrix_adc.log.browser_type}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' + - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type "%{DATA:citrix_adc.log.browser_type}" - SSLVPN_client_type %{DATA:citrix_adc.log.sslvpn_client_type} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' + - '^(Logout handler : )?Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type "%{DATA:citrix_adc.log.browser_type}" - (SSLVPN_client_type %{WORD:citrix_adc.log.sslvpn_client_type} - )?Group\(s\) "%{DATA:citrix_adc.log.groups}" ?' - grok: tag: grok_sslvpn_logout if: 'ctx.citrix.name == "LOGOUT"' field: citrix.extended.message patterns: - - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{DATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - (NonHttp_services_accessed %{INT:citrix_adc.log.non_http_services_accessed} - )?Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - (Total_UDP_flows %{INT:citrix_adc.log.total_udp_flows} - )?Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{INT:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{INT:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod "%{DATA:citrix_adc.log.logout_method}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' + - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{DATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - (NonHttp_services_accessed %{INT:citrix_adc.log.non_http_services_accessed} - )?Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - (Total_UDP_flows %{INT:citrix_adc.log.total_udp_flows} - )?Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{INT:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{INT:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod "%{DATA:citrix_adc.log.logout_method}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - '^(Logout handler : )?Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{DATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - NonHttp_services_accessed %{INT:citrix_adc.log.non_http_services_accessed} - Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - Total_UDP_flows %{INT:citrix_adc.log.total_udp_flows} - Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{INT:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{INT:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod "%{DATA:citrix_adc.log.logout_method}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - grok: @@ -40,22 +40,22 @@ processors: if: 'ctx.citrix.name == "TCPCONNSTAT"' field: citrix.extended.message patterns: - - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}"$' - - '^Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' + - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}"$' + - '^Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - grok: tag: grok_sslvpn_tcpconn_timeout if: 'ctx.citrix.name == "TCPCONN_TIMEDOUT"' field: citrix.extended.message patterns: - - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Last_contact "%{DATA:citrix_adc.log.last_contact}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' + - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"%{DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Last_contact "%{DATA:citrix_adc.log.last_contact}" - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - grok: tag: grok_sslvpn_udpflowstat if: 'ctx.citrix.name == "UDPFLOWSTAT"' field: citrix.extended.message patterns: - - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' + - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"${DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$' - grok: tag: grok_sslvpn_httprequest @@ -120,6 +120,8 @@ processors: field: citrix.extended.message patterns: - '^Logout handler : %{DATA}, for user <%{USERNAME|EMAILADDRESS:citrix_adc.log.username}>$' + - '^aaatm_handler successfully parsed assertion client ip is %{IP:citrix_adx.log.client_ip}, username is %{DATA:citrix_adc.log.user}$' + - '%{DATA}' - convert: field: citrix_adc.log.client_ip diff --git a/packages/citrix_adc/manifest.yml b/packages/citrix_adc/manifest.yml index e18933f501f..37048d76613 100644 --- a/packages/citrix_adc/manifest.yml +++ b/packages/citrix_adc/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: citrix_adc title: Citrix ADC -version: "1.11.0" +version: "1.12.0" description: This Elastic integration collects logs and metrics from Citrix ADC product. type: integration categories: