From 6d6eca6e00a4123a1b5e703e8925f8985f301ebe Mon Sep 17 00:00:00 2001 From: mo Date: Wed, 30 Oct 2024 17:37:07 -0400 Subject: [PATCH 1/5] trim and parse dates in painless --- .../sample_logs/citrix-adc-custom-date.log | 1 + .../test-interface-metrics.log-expected.json | 2 +- .../test-lbvserver-metrics.log-expected.json | 2 +- ...trix-native-with-delink.json-expected.json | 10 +- .../test-citrix-native.json-expected.json | 10 +- .../pipeline/test-citrix-sslvpn-message.log | 3 +- ...st-citrix-sslvpn-message.log-expected.json | 91 +++++++++- .../test-citrix-waf-cef.log-expected.json | 12 +- .../test-citrix-waf-native.log-expected.json | 156 +++-------------- .../elasticsearch/ingest_pipeline/default.yml | 121 ++++++++----- .../sslvpn_and_aaatm_feature.yml | 108 ++++++++---- .../ingest_pipeline/tcp_and_acl_feature.yml | 163 ++++++++++-------- .../test-service-metrics.log-expected.json | 2 +- .../test-system-metrics.log-expected.json | 2 +- .../test-vpn-metrics.log-expected.json | 2 +- 15 files changed, 368 insertions(+), 317 deletions(-) diff --git a/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc-custom-date.log b/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc-custom-date.log index 9854d7eb5082..174ea1268ef1 100644 --- a/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc-custom-date.log +++ b/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc-custom-date.log @@ -7,3 +7,4 @@ Oct 21 14:03:30 81.2.69.144 21/10/2014:14:03:30 GMT ns1 0-PPE-0 : <134> 30/09/2024:23:59:59 PRODSYSTEM 0-PPE-0 : default TCP CONN_TERMINATE 28005 0 : Source 192.168.10.10:51799 - Destination 192.168.15.10:443 - Start Time 30/09/2024:23:59:59 - End Time 30/09/2024:23:59:59 - Total_bytes_send 1 - Total_bytes_recv 1 <134> 30/09/2024:23:59:58 PRODSYSTEM 0-PPE-0 : default TCP CONN_TERMINATE 3023 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:38805 - Start Time 30/09/2024:23:59:16 - End Time 30/09/2024:23:59:58 - Total_bytes_send 1 - Total_bytes_recv 1 <134> 30/09/2024:23:59:58 PRODSYSTEM 0-PPE-0 : default TCP CONN_TERMINATE 3020 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:57434 - Start Time 30/09/2024:23:59:11 - End Time 30/09/2024:23:59:58 - Total_bytes_send 1 - Total_bytes_recv 1 +Oct 30 13:53:45 81.2.69.144 30/10/2024:13:53:45 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.1:53736 - Destination 192.168.65.55:443 - customername - username:domainname anonymous: - startTime "30/10/2024:13:53:42 " - endTime "30/10/2024:13:53:43 " - Duration 00:00:01 - Total_bytes_send 6617 - Total_bytes_recv 1217 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 124282686 diff --git a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json index 2b374284f2e0..b57b8263e203 100644 --- a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json @@ -120,4 +120,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json index 7764a34de7b1..d225e9f4d5b4 100644 --- a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json @@ -271,4 +271,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json index de67bfe0e380..a9e291df7823 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json @@ -59,7 +59,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2024-08-10T09:38:41", + "delink_time": "10/08/2024:09:38:41", "destination": { "ip": "81.2.69.144", "port": 80 @@ -93,7 +93,7 @@ "category": [ "network" ], - "end": "2024-08-10T09:38:41", + "end": "10/08/2024:09:38:41", "id": "6715345", "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, @@ -192,7 +192,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2024-08-21T09:38:41", + "delink_time": "21/08/2024:09:38:41", "destination": { "ip": "81.2.69.144", "port": 80 @@ -226,7 +226,7 @@ "category": [ "network" ], - "end": "2024-08-21T09:38:41", + "end": "21/08/2024:09:38:41", "id": "6715345", "original": "<131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, @@ -267,4 +267,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json index 8e3e318161ca..a83315d8df89 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-08T09:38:41.000Z", + "@timestamp": "2024-08-10T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, @@ -15,7 +15,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2024-10-08T09:38:41.000Z", + "delink_time": "10/08/2024:09:38:41", "destination": { "ip": "81.2.69.144", "port": 80 @@ -49,7 +49,7 @@ "category": [ "network" ], - "end": "2024-10-08T09:38:41.000Z", + "end": "10/08/2024:09:38:41", "id": "6715345", "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, @@ -90,7 +90,7 @@ ] }, { - "@timestamp": "2024-10-08T09:38:41.000Z", + "@timestamp": "2024-08-10T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, @@ -178,4 +178,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log index a249c5f68ee9..572f77ff5fde 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log @@ -1 +1,2 @@ -<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : "[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400" \ No newline at end of file +<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : "[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400" +<134> 30/10/2024:13:52:44 PRODSY3VPX01 0-PPE-0 : default SSLVPN HTTPREQUEST 72251252 0 : Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json index 7c8b9e58fcab..ad05f751cc02 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json @@ -1,7 +1,6 @@ { "expected": [ { - "@timestamp": "2024-09-09T14:13:39.000Z", "citrix": { "cef_format": false, "default_class": true, @@ -42,6 +41,94 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "<134> 30/10/2024:13:52:44 PRODSY3VPX01 0-PPE-0 : default SSLVPN HTTPREQUEST 72251252 0 : Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - -", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - -" + }, + "name": "HTTPREQUEST" + }, + "citrix_adc": { + "log": { + "client_ip": "1.128.65.1", + "groups": "N/A", + "hostname": "work.remote.example.com", + "message": "Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - -", + "method": "GET", + "request": { + "path": "/Citrix/SY3-STOREWeb/custom/style.css" + }, + "session_id": "22569", + "sso_status": "ON", + "timestamp": "30/10/2024:13:52:44", + "user": "fbueller", + "username": "fbueller", + "vserver": { + "ip": "192.168.65.54", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.65.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "72251252", + "original": "<134> 30/10/2024:13:52:44 PRODSY3VPX01 0-PPE-0 : default SSLVPN HTTPREQUEST 72251252 0 : Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - -", + "severity": 0, + "timezone": "PRODSY3VPX01", + "type": [ + "info" + ] + }, + "group": { + "name": "N/A" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.65.54", + "1.128.65.1" + ], + "user": [ + "fbueller" + ] + }, + "server": { + "ip": "192.168.65.54", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "work.remote.example.com" + }, + "user": { + "name": "fbueller" + } } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json index 84422a507479..7cfe4616dedd 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json @@ -1,7 +1,6 @@ { "expected": [ { - "@timestamp": "2015-06-12T23:37:17.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -84,7 +83,6 @@ } }, { - "@timestamp": "2015-06-13T00:21:28.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -168,7 +166,6 @@ } }, { - "@timestamp": "2015-06-13T00:25:31.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -251,7 +248,6 @@ } }, { - "@timestamp": "2015-06-13T01:11:09.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -335,7 +331,6 @@ } }, { - "@timestamp": "2015-06-08T00:21:09.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -421,7 +416,6 @@ } }, { - "@timestamp": "2015-06-09T23:50:53.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -507,7 +501,6 @@ } }, { - "@timestamp": "2012-12-19T00:38:09.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -590,7 +583,6 @@ } }, { - "@timestamp": "2012-12-19T00:38:09.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -673,7 +665,6 @@ } }, { - "@timestamp": "2012-12-18T21:46:17.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -757,7 +748,6 @@ } }, { - "@timestamp": "2012-12-19T01:07:56.000Z", "citrix": { "cef_format": true, "cef_version": "0", @@ -840,4 +830,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json index 29ff14f068cd..035d876049e0 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -1,7 +1,6 @@ { "expected": [ { - "@timestamp": "2015-06-22T19:14:37.000Z", "citrix": { "cef_format": false, "default_class": true, @@ -66,7 +65,6 @@ ] }, { - "@timestamp": "2017-12-04T17:21:00.000Z", "citrix": { "cef_format": false, "detail": "12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"RC4-MD5 TLSv1.2 Non-Export 128-bit\" - Session Reuse", @@ -139,7 +137,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", @@ -154,7 +151,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2014-10-06T14:03:23.000Z", + "delink_time": "10/06/2014:14:03:23", "delink_timezone": "GMT", "destination": { "ip": "81.2.69.144", @@ -204,7 +201,7 @@ "category": [ "network" ], - "end": "2014-10-06T14:03:23.000Z", + "end": "10/06/2014:14:03:23", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", "severity": 0, @@ -244,7 +241,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:30.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", @@ -263,14 +259,14 @@ "ip": "192.168.10.51", "port": 35341 }, - "end_time": "2014-10-06T14:03:30.000Z", + "end_time": "10/06/2014:14:03:30", "end_time_timezone": "GMT", "message": "Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "source": { "ip": "192.168.10.35", "port": 80 }, - "start_time": "2014-10-06T14:02:43.000Z", + "start_time": "10/06/2014:14:02:43", "start_time_timezone": "GMT", "total_bytes_received": 1, "total_bytes_send": 1 @@ -303,11 +299,11 @@ "category": [ "network" ], - "end": "2014-10-06T14:03:30.000Z", + "end": "10/06/2014:14:03:30", "id": "4472", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, - "start": "2014-10-06T14:02:43.000Z", + "start": "10/06/2014:14:02:43", "timezone": "GMT", "type": [ "end", @@ -337,7 +333,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:30.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", @@ -356,14 +351,14 @@ "ip": "127.0.0.2", "port": 55623 }, - "end_time": "2014-10-06T14:03:30.000Z", + "end_time": "10/06/2014:14:03:30", "end_time_timezone": "GMT", "message": "Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "source": { "ip": "127.0.0.1", "port": 7776 }, - "start_time": "2014-10-06T14:02:45.000Z", + "start_time": "10/06/2014:14:02:45", "start_time_timezone": "GMT", "total_bytes_received": 1, "total_bytes_send": 1 @@ -396,11 +391,11 @@ "category": [ "network" ], - "end": "2014-10-06T14:03:30.000Z", + "end": "10/06/2014:14:03:30", "id": "4473", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, - "start": "2014-10-06T14:02:45.000Z", + "start": "10/06/2014:14:02:45", "timezone": "GMT", "type": [ "end", @@ -430,7 +425,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:30.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", @@ -449,14 +443,14 @@ "ip": "127.0.0.2", "port": 39771 }, - "end_time": "2014-10-06T14:03:30.000Z", + "end_time": "10/06/2014:14:03:30", "end_time_timezone": "GMT", "message": "Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "source": { "ip": "127.0.0.1", "port": 80 }, - "start_time": "2014-10-06T14:02:46.000Z", + "start_time": "10/06/2014:14:02:46", "start_time_timezone": "GMT", "total_bytes_received": 1, "total_bytes_send": 1 @@ -489,11 +483,11 @@ "category": [ "network" ], - "end": "2014-10-06T14:03:30.000Z", + "end": "10/06/2014:14:03:30", "id": "4474", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, - "start": "2014-10-06T14:02:46.000Z", + "start": "10/06/2014:14:02:46", "timezone": "GMT", "type": [ "end", @@ -523,7 +517,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", @@ -538,7 +531,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2022-06-14T16:05:04.000Z", + "delink_time": "2022/06/14:16:05:04", "delink_timezone": "GMT", "destination": { "ip": "1.128.0.0", @@ -588,7 +581,7 @@ "category": [ "network" ], - "end": "2022-06-14T16:05:04.000Z", + "end": "2022/06/14:16:05:04", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", "severity": 0, @@ -629,7 +622,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", @@ -720,7 +712,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400", @@ -826,7 +817,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", @@ -932,7 +922,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", @@ -1038,7 +1027,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data", @@ -1130,7 +1118,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL6_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data", @@ -1222,7 +1209,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_QUERY 4471 0 : Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated ", @@ -1318,7 +1304,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_RESPONSE 4471 0 : Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked ", @@ -1414,7 +1399,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_ERROR 4471 0 : Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved ", @@ -1510,7 +1494,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_SIP_INFO_PACKET_EVENT 4471 0 : Infomsg: \"SIP request received\" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org -", @@ -1645,7 +1628,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_RTSP_INFO_DELETE_CALL_PACKET_EVENT 4471 0 : Infomsg: \"Log info RTSP ALG call deletion\" - Group: RTSPALG - Session_ID: session123 -", @@ -1716,7 +1698,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : URLFILT URLFILT_LOG 4471 0 : Source 192.168.1.100 - Destination 1.128.0.0 URL www.example.com/page - Category Technology - Categorygroup Internet - Reputation 3 - Policyaction ALLOW", @@ -1797,13 +1778,11 @@ "preserve_duplicate_custom_fields" ], "url": { - "extension": "com/page", "original": "www.example.com/page", "path": "www.example.com/page" } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI ICAP_LOG 4471 0 : Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY", @@ -1911,7 +1890,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI INLINE_INSPECTION_LOG 4471 0 : ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344", @@ -2026,7 +2004,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI TRAFFIC_MIRROR_LOG 4471 0 : ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344", @@ -2141,7 +2118,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", @@ -2222,7 +2198,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGIN 4471 0 : User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type \"Chrome\" - SSLVPN_client_type NetScalerPlugin - Group(s) \"IT,RemoteWorkers\"", @@ -2306,7 +2281,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGOUT 4471 0 : User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"", @@ -2410,7 +2384,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICASTART 4471 0 : Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c", @@ -2511,7 +2484,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", @@ -2622,7 +2594,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONNSTAT 4471 0 : User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", @@ -2733,7 +2704,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONN_TIMEDOUT 4471 0 : User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact \"2023-04-01T13:00:00Z\" - Group(s) \"Sales,Marketing\"", @@ -2816,7 +2786,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN UDPFLOWSTAT 4471 0 : User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", @@ -2923,7 +2892,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN NONHTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"SecurityPolicy\"", @@ -2988,7 +2956,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"UnauthorizedAccessAttempt\"", @@ -3053,7 +3020,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LICLMT_REACHED 4471 0 : Vserver 1.128.0.0:443 - License_limit 500", @@ -3127,7 +3093,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_CHECK 4471 0 : Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression \"geoLocationBlocked\" -", @@ -3190,7 +3155,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_EXP_EVAL 4471 0 : User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine", @@ -3260,7 +3224,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN STA_VALIDATE_RESP 4471 0 : Xdatalen 1024 - Xdata PayloadWithSensitiveInformation", @@ -3326,7 +3289,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_FAILURE 4471 0 : Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite \"ECDHE-RSA-AES256-GCM-SHA384\" - Session 0x12a7bf", @@ -3412,7 +3374,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 4471 0 : Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite \"TLS_AES_128_GCM_SHA256\" - Session 0x12a7c0", @@ -3498,7 +3459,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CERT_EXPIRY_IMMINENT 4471 0 : Certificate Key Pair RSA2048 - Days To Expire 365", @@ -3564,7 +3524,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_ISSUERNAME 4471 0 : SPCBId 512 - Issuer Name \"CN=Example CA, O=Example Organization, C=US\"", @@ -3635,7 +3594,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUBJECTNAME 4471 0 : SPCBId 1024 - Subject Name \"CN=www.example.com, O=Example Company, C=US\"", @@ -3706,7 +3664,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_SUCCESS 4471 0 : crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB", @@ -3793,7 +3750,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_FAILURE 4471 0 : crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE", @@ -3880,7 +3836,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_SUCCESS 4471 0 : Domainname example.com Ipaddress 1.128.0.0", @@ -3950,7 +3905,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_FAILURE 4471 0 : Domainname example.net Ipaddress 1.128.0.0", @@ -4020,7 +3974,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_EVENT 4471 0 : Session 12345", @@ -4084,7 +4037,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_FAILURE 4471 0 : Failure Reason: CredentialsInvalid", @@ -4149,7 +4101,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA LOGIN_FAILED 4471 0 : User john.doe - Client_ip 192.168.1.104 - Failure_reason \"Invalid password\" - Browser Chrome", @@ -4219,7 +4170,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA EXTRACTED_GROUPS 4471 0 : Extracted_groups \"Engineering,Staff\"", @@ -4286,7 +4236,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_XMLPAYLOAD_CONTENT_TYPE_MISMATCH 4471 0 : XML Mismatched content-type in HTTP header detected = \"text/plain\".", @@ -4351,7 +4300,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DENYURL 4471 0 : Disallow Deny URL for rule pattern = \"http://example.com/badpath\".", @@ -4422,7 +4370,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_CONTENT_TYPE 4471 0 : Unknown content-type header value = \"application/unknown\".", @@ -4487,7 +4434,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REFERER_HEADER 4471 0 : parsing referer header 'http://malicious.com' failed", @@ -4557,7 +4503,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_URL 4471 0 : URL length(2150) is greater than maximum allowed(2048).", @@ -4625,7 +4570,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_COOKIE 4471 0 : Cookie header length(1025) is greater than maximum allowed(1000).", @@ -4693,7 +4637,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_HDR 4471 0 : Header(Referer) length(550) is greater than maximum allowed(512).", @@ -4761,7 +4704,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_QUERY 4471 0 : Query string length(1150) is greater than maximum allowed(1024).", @@ -4829,7 +4771,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_TOTAL_HDR 4471 0 : Total HTTP header length(4600) is greater than maximum allowed(4096).", @@ -4897,7 +4838,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_TO_PROFILE 4471 0 : Profile: UserAccount", @@ -4962,7 +4902,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_XML_TO_PROFILE 4471 0 : Profile: AdminSettings", @@ -5027,7 +4966,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_FIELDTYPE 4471 0 : Field Type: String", @@ -5092,7 +5030,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_PROFILE 4471 0 : Profile: SecurityConfig", @@ -5157,7 +5094,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_FIELDTYPE 4471 0 : Field Type: Integer", @@ -5222,7 +5158,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_PROFILE 4471 0 : Profile: NetworkPreferences", @@ -5287,7 +5222,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_CFFIELD 4471 0 : Field Name: Username", @@ -5352,7 +5286,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_CFFIELD 4471 0 : Field Name: Password", @@ -5417,7 +5350,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_MEMORY_ERR 4471 0 : Content length is too large(4294967296 Bytes). Memory Allocation failed.", @@ -5482,7 +5414,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_SIGNATURE_ERR 4471 0 : Signature id 429 contains no fast match pattern", @@ -5547,7 +5478,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_SESSIONLIMIT 4471 0 : Appfw maximum session Limit reached for PEID 42", @@ -5612,7 +5542,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_RFCPROFILE 4471 0 : APPFW RFC Profile: WebApplicationSecurity", @@ -5677,7 +5606,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_RFCPROFILE 4471 0 : APPFW RFC Profile: APIGatewaySecurity", @@ -5742,7 +5670,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_NEW_SIGNATURE_ADDED 4471 0 : New signature available: RuleID = 101", @@ -5810,7 +5737,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DEPLOY_RELAXATION_DP 4471 0 : Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles", @@ -5877,7 +5803,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_EVENT 4471 0 : User Name: JohnDoe", @@ -5947,7 +5872,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_CONNECTION_EVENT 4471 0 : User Name: JaneSmith", @@ -6017,7 +5941,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_SETUP 4471 0 : session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1", @@ -6100,7 +6023,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA CHANNEL_UPDATE 4471 0 : session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50", @@ -6182,7 +6104,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_UPDATE 4471 0 : session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 -", @@ -6280,7 +6201,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA L7_LATENCY_UPDATE 4471 0 : session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 -", @@ -6362,7 +6282,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_TERMINATE 4471 0 : session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z", @@ -6431,7 +6350,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA NETWORK_UPDATE 4471 0 : session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3", @@ -6518,7 +6436,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_LAUNCH 4471 0 : session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp", @@ -6594,7 +6511,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_TERMINATE 4471 0 : session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z", @@ -6667,7 +6583,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGIN 4471 0 : User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type \"Firefox\" - Group(s) \"Admin,IT\"", @@ -6754,7 +6669,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGOUT 4471 0 : User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"", @@ -6861,7 +6775,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"AccessRestriction\"", @@ -6926,7 +6839,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_INPUT_URL 4471 0 : HTML_URL https://example.com/page", @@ -6997,7 +6909,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_REWRITTEN_URL 4471 0 : REWRITTEN_URL https://example.com/proxy?url=page", @@ -7069,7 +6980,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_MATCHED_URL 4471 0 : MATCHED_URL https://example.com/assets/image.jpg", @@ -7141,7 +7051,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM ACTION_MISMATCH 4471 0 : Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High", @@ -7204,7 +7113,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM PCRE_ERROR 4471 0 : Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5", @@ -7267,7 +7175,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM REQ_WRITE_ERROR 4471 0 : Client 1.128.0.0 - Profile Gateway - Failed to write Location request header", @@ -7328,7 +7235,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : BOT BOT_SIG_AUTO_UPDATE 4471 0 : Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2", @@ -7394,7 +7300,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Adding pitboss watch on (1024)", @@ -7459,7 +7364,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Deleting watch on (2048)", @@ -7524,7 +7428,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_SYSTEM_RESTART 4471 0 : proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system", @@ -7597,7 +7500,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_PROCESS_RESTART 4471 0 : Restarting process old pid (8192) action (respawn)", @@ -7664,7 +7566,6 @@ ] }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite \"TLS1.3-AES256-GCM-SHA384\" - Session New - HandshakeTime 55 ms", @@ -7744,7 +7645,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite \"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\" - Session New - SERVER_AUTHENTICATED -SerialNumber \"12CF1F64F01429F7\" - SignatureAlgorithm \"sha256WithRSAEncryption\" - ValidFrom \"Apr 20 07:46:28 2023 GMT\" - ValidTo \"May 1 20:22:03 2024 GMT\" - HandshakeTime 8 ms", @@ -7832,7 +7732,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "default_class": true, @@ -7904,7 +7803,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "default_class": true, @@ -7986,7 +7884,6 @@ } }, { - "@timestamp": "2015-06-22T19:14:37.000Z", "citrix": { "cef_format": false, "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - -", @@ -8011,7 +7908,7 @@ }, "session_id": "12690921", "sso_status": "ON", - "timestamp": "2022-06-14T16:07:48.000Z", + "timestamp": "2022/06/14:16:07:48", "user": "someusername", "username": "someusername", "vserver": { @@ -8077,7 +7974,6 @@ } }, { - "@timestamp": "2015-06-22T19:14:37.000Z", "citrix": { "cef_format": false, "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - -", @@ -8101,7 +7997,7 @@ "path": "/Some/Url/Concealed" }, "session_id": "104248", - "timestamp": "2022-07-07T11:22:00.000Z", + "timestamp": "07/07/2022:11:22:00", "timezone": "GMT", "user": "some.email@company.com", "username": "another.email@company.com", @@ -8168,7 +8064,6 @@ } }, { - "@timestamp": "2015-06-22T19:14:37.000Z", "citrix": { "cef_format": false, "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", @@ -8192,7 +8087,7 @@ }, "domain_name": "example.domain.com", "duration": "00:00:27", - "end_time": "2022-06-14T16:18:18.000Z", + "end_time": "2022/06/14:16:18:18", "message": "Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", "source": { "ip": "1.128.0.0", @@ -8202,7 +8097,7 @@ "address": "1.128.0.2", "port": 2598 }, - "start_time": "2022-06-14T16:17:51.000Z", + "start_time": "2022/06/14:16:17:51", "total_bytes_received": 36983, "total_bytes_send": 193250, "total_bytes_wire_recieved": "8320800952261094732", @@ -8239,11 +8134,11 @@ "category": [ "authentication" ], - "end": "2022-06-14T16:18:18.000Z", + "end": "2022/06/14:16:18:18", "id": "4471", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", "severity": 0, - "start": "2022-06-14T16:17:51.000Z", + "start": "2022/06/14:16:17:51", "timezone": "GMT", "type": [ "info" @@ -8286,7 +8181,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", @@ -8368,7 +8262,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", @@ -8441,7 +8334,6 @@ } }, { - "@timestamp": "2014-10-06T14:03:23.000Z", "citrix": { "cef_format": false, "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", @@ -8514,7 +8406,6 @@ } }, { - "@timestamp": "2015-06-22T19:14:37.000Z", "citrix": { "cef_format": false, "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", @@ -8611,7 +8502,6 @@ } }, { - "@timestamp": "2015-06-22T19:14:37.000Z", "citrix": { "cef_format": false, "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", @@ -8708,4 +8598,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 61ed2cddd382..f73b9254af24 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -58,61 +58,98 @@ processors: tag: set_event_timezone_from_tz_offset copy_from: _conf.tz_offset if: ctx.event?.timezone == null || ctx.event?.timezone == "" - - date: - if: ctx._tmp?.timestamp8601 != null - tag: date_tmp_timestamp8601 - field: _tmp.timestamp8601 - timezone: '{{{event.timezone}}}' - formats: - - ISO8601 + - set: field: _tmp.timestamp tag: set_tmp_timestamp if: ctx._tmp?.timestamp != null && ctx.citrix?.event_year != null value: "{{{citrix.event_year}}} {{{_tmp.timestamp}}}" - - date: - if: ctx._tmp?.timestamp != null - tag: date_tmp_timestamp - field: _tmp.timestamp - timezone: '{{{event.timezone}}}' - formats: - - MMM d HH:mm:ss - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMMM d HH:mm:ss - - MMMM d HH:mm:ss - - MMMM dd HH:mm:ss - - yyyy MMM d HH:mm:ss - - yyyy MMM d HH:mm:ss - - yyyy MMM dd HH:mm:ss - - yyyy MMMM d HH:mm:ss - - yyyy MMMM d HH:mm:ss - - yyyy MMMM dd HH:mm:ss + - script: - description: Convert timestamp_native via custom format - tag: date_tmp_timestamp_native_custom_format + description: Convert delink_time via custom format + tag: date_delink_time_custom_format lang: painless + params: + fields: + timestamp8601: + - ISO8601 + + timestamp_native: + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + - dd/MM/yyyy:HH:mm:ss + + timestamp: + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMMM d HH:mm:ss + - MMMM d HH:mm:ss + - MMMM dd HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM dd HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM dd HH:mm:ss + source: >- - def dateFormat = ctx["_conf"]["custom_date_format"]; - def formatter = DateTimeFormatter.ofPattern(dateFormat); - def text = ctx["_tmp"]["timestamp_native"]; - def parsedDate = LocalDateTime.parse(text, formatter); - ctx["_tmp"]["timestamp_native"] = parsedDate.toString(); + params.fields.forEach((field,date_formats) -> { + def locale = Locale.ENGLISH; + def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); + def parent = ctx._tmp; + + if (!parent.containsKey(field)) { + return false; + } + def text = parent[field].trim(); + + def tz; + def made = false; + if (ctx.event instanceof Map && ctx.event.containsKey("timezone")) { + try { + tz = ZoneId.of(ctx.event.timezone); + made = true; + } catch (Exception e) { + // + } + } + + if (!made) { + tz = ZoneOffset.UTC; + } + printer = printer.withZone(tz); + def formats = []; + if (ctx._conf instanceof Map && ctx._conf.containsKey("custom_date_format")) { + formats.add(ctx._conf.custom_date_format); + } + formats.addAll(date_formats); + + for (format in formats) { + def dateFormat = format.trim(); + def parsedDate; + try { + if (dateFormat == "ISO8601") { + parsedDate = ZonedDateTime.parse(text); + } else if (dateFormat == "UNIX_MS") { + parsedDate = Instant.ofEpochMilli(Long.parseLong(text)).atZone(tz); + } else { + def formatter = DateTimeFormatter.ofPattern(dateFormat); + parsedDate = ZonedDateTime.parse(text, formatter); + } + parent[field] = printer.format(parsedDate); + } catch (DateTimeParseException e) { + // just pass through to the next format + } + } + return true; + }); - if: ctx._tmp?.timestamp_native != null && ctx?._conf?.custom_date_format != null && ctx?._conf?.custom_date_format != '' + if: ctx?.citrix_adc?.log != null && ctx.citrix_adc.log instanceof Map on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}. Offending format: {{{_conf.custom_date_format}}}.' - - date: - if: ctx._tmp?.timestamp_native != null && ctx?._conf?.custom_date_format == null - tag: date_tmp_timestamp_native - field: _tmp.timestamp_native - formats: - - MM/dd/yyyy:HH:mm:ss - - yyyy/MM/dd:HH:mm:ss - - dd/MM/yyyy:HH:mm:ss - timezone: '{{{event.timezone}}}' - remove: field: citrix.event_year tag: remove_event_year diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml index 56526fdb67c7..d8ec38397536 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml @@ -8,8 +8,10 @@ processors: patterns: - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type \"%{DATA:citrix_adc.log.browser_type}\" - SSLVPN_client_type %{DATA:citrix_adc.log.sslvpn_client_type} - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{DATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - NonHttp_services_accessed %{INT:citrix_adc.log.non_http_services_accessed} - Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - Total_UDP_flows %{INT:citrix_adc.log.total_udp_flows} - Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{INT:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{INT:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod \"%{DATA:citrix_adc.log.logout_method}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - customername( %{WORD:citrix_adc.log.customer_name})? - username:domainname %{DATA:citrix_adc.log.username}:%{DATA:citrix_adc.log.domain_name} - applicationName %{WORD:citrix_adc.log.application_name} - startTime \"%{DATA:citrix_adc.log.start_time}\" - connectionId %{WORD:citrix_adc.log.connection_id}$' - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - SSLRelayAddress %{IP:citrix_adc.log.ssl_relay.address}:%{INT:citrix_adc.log.ssl_relay.port} - customername( %{WORD:citrix_adc.log.customer_name})? - username:domainname %{DATA:citrix_adc.log.username}:%{DATA:citrix_adc.log.domain_name} - applicationName %{WORD:citrix_adc.log.application_name} - startTime \"%{DATA:citrix_adc.log.start_time}\" - connectionId %{WORD:citrix_adc.log.connection_id}$' - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - SSLRelayAddress %{IP:citrix_adc.log.ssl_relay.address}:%{INT:citrix_adc.log.ssl_relay.port} - customername( %{WORD:citrix_adc.log.customer_name})? - username:domainname %{DATA:citrix_adc.log.username}:%{DATA:citrix_adc.log.domain_name} - startTime \"%{DATA:citrix_adc.log.start_time}\" - endTime \"%{DATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - connectionId %{WORD:citrix_adc.log.connection_id}( - Total_bytes_wire_send %{NUMBER:citrix_adc.log.total_bytes_wire_send} - Total_bytes_wire_recv %{NUMBER:citrix_adc.log.total_bytes_wire_recieved})?$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - customername( %{WORD:citrix_adc.log.customer_name})? - username:domainname %{DATA:citrix_adc.log.username}:%{DATA:citrix_adc.log.domain_name} - startTime \"%{DATA:citrix_adc.log.start_time}\" - endTime \"%{DATA:citrix_adc.log.end_time}\" - Duration %{NOTSPACE:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - connectionId %{WORD:citrix_adc.log.connection_id}( - Total_bytes_wire_send %{NUMBER:citrix_adc.log.total_bytes_wire_send} - Total_bytes_wire_recv %{NUMBER:citrix_adc.log.total_bytes_wire_recieved})?$' - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{GREEDYDATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - Access %{WORD:citrix_adc.log.access} - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Last_contact \"%{DATA:citrix_adc.log.last_contact}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{GREEDYDATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' @@ -24,21 +26,6 @@ processors: - '^Context %{USERNAME:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip} - SessionId: %{NUMBER:citrix_adc.log.session_id} - %{HOSTNAME:citrix_adc.log.hostname} User %{USERNAME:citrix_adc.log.user}%{SPACE}?: Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} : SSO is %{WORD:citrix_adc.log.sso_status} : %{WORD:citrix_adc.log.method} %{URIPATHPARAM:citrix_adc.log.request.path} - -$' - '^Context %{DATA:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip}%{SPACE}- SessionId: %{NUMBER:citrix_adc.log.session_id}%{SPACE}?- %{HOSTNAME:citrix_adc.log.hostname} User %{DATA:citrix_adc.log.user} : Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} %{DATA:citrix_adc.log.timezone} %{WORD:citrix_adc.log.method} %{DATA:citrix_adc.log.request.path} - -$' ignore_failure: false - - date: - field: citrix_adc.log.timestamp - tag: date_timestamp - target_field: citrix_adc.log.timestamp - formats: - - ISO8601 - - MM/dd/yyyy:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss z - - yyyy/MM/dd:HH:mm:ss - - yyyy/MM/dd:HH:mm:ss z - if: ctx.citrix_adc?.log?.timestamp != null && ctx.citrix_adc.log.timestamp != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: citrix_adc.log.client_ip tag: convert_client_ip_to_ip @@ -107,37 +94,82 @@ processors: tag: set_error_message_from_errmsg copy_from: citrix_adc.log.errmsg ignore_empty_value: true - - date: - field: citrix_adc.log.end_time - tag: date_end_time - target_field: citrix_adc.log.end_time - formats: - - yyyy/MM/dd:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss - - ISO8601 - if: ctx.citrix_adc?.log?.end_time != null && ctx.citrix_adc.log.end_time != '' + + - script: + description: Convert multiple fields via custom format + tag: date_start_end_timestamp_custom_format + lang: painless + params: + fields: + timestamp: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss z + - yyyy/MM/dd:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss z + + start_time: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - ISO8601 + + end_time: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - ISO8601 + + source: >- + def locale = Locale.ENGLISH; + def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); + def tz = ZoneOffset.UTC; + printer = printer.withZone(tz); + + def parent = ctx.citrix_adc.log; + params.fields.forEach((field,date_formats) -> { + if (!parent.containsKey(field)) { + return true; + } + def text = parent[field].trim(); + parent[field] = text; + + def formats = []; + if (ctx._conf instanceof Map && ctx._conf.containsKey("custom_date_format")) { + formats.add(ctx._conf.custom_date_format); + } + formats.addAll(date_formats); + + for (format in formats) { + def dateFormat = format.trim(); + def parsedDate; + try { + if (dateFormat == "ISO8601") { + parsedDate = ZonedDateTime.parse(text); + } else if (dateFormat == "UNIX_MS") { + parsedDate = Instant.ofEpochMilli(Long.parseLong(text)).atZone(tz); + } else { + def formatter = DateTimeFormatter.ofPattern(dateFormat); + parsedDate = ZonedDateTime.parse(text, formatter); + } + ctx.citrix_adc.log[field] = printer.format(parsedDate); + } catch (DateTimeParseException e) { + // just pass through to the next format + } + } + return true; + }); + + if: ctx?.citrix_adc?.log != null && ctx.citrix_adc.log instanceof Map on_failure: - append: field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}. Offending format: {{{_conf.custom_date_format}}}.' + + - set: field: event.end tag: set_event_end_from_end_time copy_from: citrix_adc.log.end_time ignore_empty_value: true - - date: - field: citrix_adc.log.start_time - tag: date_start_time - target_field: citrix_adc.log.start_time - formats: - - yyyy/MM/dd:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss - - ISO8601 - if: ctx.citrix_adc?.log?.start_time != null && ctx.citrix_adc.log.start_time != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.start tag: set_event_start_from_start_time diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml index f49ea8962a5d..7edd8374e5b6 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml @@ -13,31 +13,6 @@ processors: - '^Source %{IP:citrix_adc.log.source.ip} --> Destination %{IP:citrix_adc.log.destination.ip} - Protocol %{WORD:citrix_adc.log.protocol} - Type %{INT:citrix_adc.log.type} - Code %{INT:citrix_adc.log.code} - Time%{SPACE}Stamp %{DATA:citrix_adc.log.timestamp}%{SPACE}\(ms\) - Hitcount %{INT:citrix_adc.log.hit.count:int} - Hit%{SPACE}Rule %{GREEDYDATA:citrix_adc.log.hit.rule} - Action %{WORD:citrix_adc.log.action} - Data$' - '%{GREEDYDATA:citrix_adc.log.message}' ignore_failure: true - - date: - field: citrix_adc.log.timestamp - tag: date_timestamp - target_field: citrix_adc.log.timestamp - formats: - - UNIX_MS - - ISO8601 - - MM/dd/yyyy:HH:mm:ss - - MMM d HH:mm:ss - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMMM d HH:mm:ss - - MMMM d HH:mm:ss - - MMMM dd HH:mm:ss - - yyyy MMM d HH:mm:ss - - yyyy MMM d HH:mm:ss - - yyyy MMM dd HH:mm:ss - - yyyy MMMM d HH:mm:ss - - yyyy MMMM d HH:mm:ss - - yyyy MMMM dd HH:mm:ss - if: ctx.citrix_adc?.log?.timestamp != null && ctx.citrix_adc.log.timestamp != '' && ctx?._conf?.custom_date_format == null - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: citrix_adc.log.total_bytes_received tag: convert_total_bytes_received_to_long @@ -134,65 +109,116 @@ processors: tag: set_event_action_from_action copy_from: citrix_adc.log.action ignore_empty_value: true + - script: description: Convert delink_time via custom format tag: date_delink_time_custom_format lang: painless + params: + fields: + timestamp: + - UNIX_MS + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMMM d HH:mm:ss + - MMMM d HH:mm:ss + - MMMM dd HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM dd HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM dd HH:mm:ss + + delink_time: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + - ISO8601 + + start_time: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + + end_time: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + source: >- - def dateFormat = ctx["_conf"]["custom_date_format"]; - def formatter = DateTimeFormatter.ofPattern(dateFormat); + params.fields.forEach((field,date_formats) -> { + def locale = Locale.ENGLISH; + def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); + def parent = ctx.citrix_adc.log; + + if (!parent.containsKey(field)) { + return false; + } + def text = parent[field].trim(); + + def tz; + def made = false; + if (parent.containsKey(field + "_timezone")) { + try { + tz = ZoneId.of(parent[field + "_timezone"]); + made = true; + } catch (Exception e) { + // + } + } + if (!made && ctx.event instanceof Map && ctx.event.containsKey("timezone")) { + try { + tz = ZoneId.of(ctx.event.timezone); + made = true; + } catch (Exception e) { + // + } + } - ["delink_time", "start_time", "end_time", "timestamp"].forEach(l -> { + if (!made) { + tz = ZoneOffset.UTC; + } + printer = printer.withZone(tz); + def formats = []; + if (ctx._conf instanceof Map && ctx._conf.containsKey("custom_date_format")) { + formats.add(ctx._conf.custom_date_format); + } + formats.addAll(date_formats); - if (ctx.containsKey("citrix_adc")) { - if (ctx.citrix_adc.containsKey("log")) { - if (ctx.citrix_adc.log.containsKey(l)) { - def text = ctx.citrix_adc.log[l]; - def parsedDate = LocalDateTime.parse(text, formatter); - ctx.citrix_adc.log[l] = parsedDate.toString(); + for (format in formats) { + def dateFormat = format.trim(); + def parsedDate; + try { + if (dateFormat == "ISO8601") { + parsedDate = ZonedDateTime.parse(text); + } else if (dateFormat == "UNIX_MS") { + parsedDate = Instant.ofEpochMilli(Long.parseLong(text)).atZone(tz); + } else { + def formatter = DateTimeFormatter.ofPattern(dateFormat); + parsedDate = ZonedDateTime.parse(text, formatter); } + parent[field] = printer.format(parsedDate); + } catch (DateTimeParseException e) { + // just pass through to the next format } } return true; }); - if: ctx?._conf?.custom_date_format != null && ctx?._conf?.custom_date_format != '' + if: ctx?.citrix_adc?.log != null && ctx.citrix_adc.log instanceof Map on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}. Offending format: {{{_conf.custom_date_format}}}.' - - date: - field: citrix_adc.log.delink_time - tag: date_delink_time - target_field: citrix_adc.log.delink_time - formats: - - yyyy/MM/dd:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss - - yyyy/MM/dd:HH:mm:ss - - ISO8601 - if: ctx.citrix_adc?.log?.delink_time != null && ctx.citrix_adc.log.delink_time != '' && ctx?._conf?.custom_date_format == null - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.end tag: set_event_end_from_delink_time copy_from: citrix_adc.log.delink_time ignore_empty_value: true - - date: - field: citrix_adc.log.end_time - tag: date_end_time - target_field: citrix_adc.log.end_time - formats: - - ISO8601 - - MM/dd/yyyy:HH:mm:ss - - yyyy/MM/dd:HH:mm:ss - if: ctx.citrix_adc?.log?.end_time != null && ctx.citrix_adc.log.end_time != '' && ctx?._conf?.custom_date_format == null - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.end tag: set_event_end_from_end_time @@ -203,19 +229,6 @@ processors: tag: set_event_reason_from_closure_reason copy_from: citrix_adc.log.closure_reason ignore_empty_value: true - - date: - field: citrix_adc.log.start_time - tag: date_start_time - target_field: citrix_adc.log.start_time - formats: - - ISO8601 - - MM/dd/yyyy:HH:mm:ss - - yyyy/MM/dd:HH:mm:ss - if: ctx.citrix_adc?.log?.start_time != null && ctx.citrix_adc.log.start_time != '' && ctx?._conf?.custom_date_format == null - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.start tag: set_event_start_from_start_time diff --git a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json index 656fb07383f0..e8e8556d8776 100644 --- a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json @@ -90,4 +90,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json index 70e195a8c965..c32dfba2f6fd 100644 --- a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json @@ -143,4 +143,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json b/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json index 17b0d30c0159..a7fa95398d9f 100644 --- a/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json @@ -146,4 +146,4 @@ ] } ] -} \ No newline at end of file +} From b5a30fd15af9d5d97e153b8383bb41ccd97113d5 Mon Sep 17 00:00:00 2001 From: mo Date: Thu, 31 Oct 2024 08:22:46 -0400 Subject: [PATCH 2/5] newline endings --- .../_dev/test/pipeline/test-interface-metrics.log-expected.json | 1 + .../_dev/test/pipeline/test-lbvserver-metrics.log-expected.json | 1 + .../pipeline/test-citrix-native-with-delink.json-expected.json | 1 + .../log/_dev/test/pipeline/test-citrix-native.json-expected.json | 1 + .../test/pipeline/test-citrix-sslvpn-message.log-expected.json | 1 + .../log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json | 1 + .../_dev/test/pipeline/test-citrix-waf-native.log-expected.json | 1 + .../_dev/test/pipeline/test-service-metrics.log-expected.json | 1 + .../_dev/test/pipeline/test-system-metrics.log-expected.json | 1 + .../vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json | 1 + 10 files changed, 10 insertions(+) diff --git a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json index b57b8263e203..e79a15f21ec1 100644 --- a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json @@ -121,3 +121,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json index d225e9f4d5b4..f712230ae165 100644 --- a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json @@ -272,3 +272,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json index a9e291df7823..26d192923549 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json @@ -268,3 +268,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json index a83315d8df89..9989df5d1ec3 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json @@ -179,3 +179,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json index ad05f751cc02..2aaaf1581c87 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json @@ -132,3 +132,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json index 7cfe4616dedd..ae93564ec2c7 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json @@ -831,3 +831,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json index 035d876049e0..4927bfbbf88e 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -8599,3 +8599,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json index e8e8556d8776..1a5544176f85 100644 --- a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json @@ -91,3 +91,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json index c32dfba2f6fd..a94a5e15471e 100644 --- a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json @@ -144,3 +144,4 @@ } ] } + diff --git a/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json b/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json index a7fa95398d9f..cc9c998762f6 100644 --- a/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json @@ -147,3 +147,4 @@ } ] } + From 0abaeb718da1c47156742a7a6abece42ae95875f Mon Sep 17 00:00:00 2001 From: mo Date: Thu, 31 Oct 2024 08:34:59 -0400 Subject: [PATCH 3/5] undo last formatting commit, because automation --- .../_dev/test/pipeline/test-interface-metrics.log-expected.json | 1 - .../_dev/test/pipeline/test-lbvserver-metrics.log-expected.json | 1 - .../pipeline/test-citrix-native-with-delink.json-expected.json | 1 - .../log/_dev/test/pipeline/test-citrix-native.json-expected.json | 1 - .../test/pipeline/test-citrix-sslvpn-message.log-expected.json | 1 - .../log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json | 1 - .../_dev/test/pipeline/test-citrix-waf-native.log-expected.json | 1 - .../_dev/test/pipeline/test-service-metrics.log-expected.json | 1 - .../_dev/test/pipeline/test-system-metrics.log-expected.json | 1 - .../vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json | 1 - 10 files changed, 10 deletions(-) diff --git a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json index e79a15f21ec1..b57b8263e203 100644 --- a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json @@ -121,4 +121,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json index f712230ae165..d225e9f4d5b4 100644 --- a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json @@ -272,4 +272,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json index 26d192923549..a9e291df7823 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json @@ -268,4 +268,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json index 9989df5d1ec3..a83315d8df89 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json @@ -179,4 +179,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json index 2aaaf1581c87..ad05f751cc02 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json @@ -132,4 +132,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json index ae93564ec2c7..7cfe4616dedd 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json @@ -831,4 +831,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json index 4927bfbbf88e..035d876049e0 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -8599,4 +8599,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json index 1a5544176f85..e8e8556d8776 100644 --- a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json @@ -91,4 +91,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json index a94a5e15471e..c32dfba2f6fd 100644 --- a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json @@ -144,4 +144,3 @@ } ] } - diff --git a/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json b/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json index cc9c998762f6..a7fa95398d9f 100644 --- a/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/vpn/_dev/test/pipeline/test-vpn-metrics.log-expected.json @@ -147,4 +147,3 @@ } ] } - From 75b6b1764f4f618c375e96540acdcf47c658eba3 Mon Sep 17 00:00:00 2001 From: mo Date: Thu, 31 Oct 2024 14:47:45 -0400 Subject: [PATCH 4/5] passing locally --- ...trix-native-with-delink.json-expected.json | 8 +- .../test-citrix-native.json-expected.json | 4 +- ...st-citrix-sslvpn-message.log-expected.json | 5 +- .../test/pipeline/test-citrix-waf-native.log | 5 +- .../test-citrix-waf-native.log-expected.json | 238 ++++++++++++------ .../elasticsearch/ingest_pipeline/default.yml | 19 +- .../elasticsearch/ingest_pipeline/native.yml | 8 +- .../sslvpn_and_aaatm_feature.yml | 155 ++++++------ .../ingest_pipeline/tcp_and_acl_feature.yml | 21 +- 9 files changed, 283 insertions(+), 180 deletions(-) diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json index a9e291df7823..6bca1a031c34 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json @@ -59,7 +59,7 @@ }, "citrix_adc": { "log": { - "delink_time": "10/08/2024:09:38:41", + "delink_time": "2024-08-10T09:38:41.000Z", "destination": { "ip": "81.2.69.144", "port": 80 @@ -93,7 +93,7 @@ "category": [ "network" ], - "end": "10/08/2024:09:38:41", + "end": "2024-08-10T09:38:41.000Z", "id": "6715345", "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, @@ -192,7 +192,7 @@ }, "citrix_adc": { "log": { - "delink_time": "21/08/2024:09:38:41", + "delink_time": "2024-08-21T09:38:41.000Z", "destination": { "ip": "81.2.69.144", "port": 80 @@ -226,7 +226,7 @@ "category": [ "network" ], - "end": "21/08/2024:09:38:41", + "end": "2024-08-21T09:38:41.000Z", "id": "6715345", "original": "<131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json index a83315d8df89..fe8f0d681351 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json @@ -15,7 +15,7 @@ }, "citrix_adc": { "log": { - "delink_time": "10/08/2024:09:38:41", + "delink_time": "2024-10-08T09:38:41.000Z", "destination": { "ip": "81.2.69.144", "port": 80 @@ -49,7 +49,7 @@ "category": [ "network" ], - "end": "10/08/2024:09:38:41", + "end": "2024-10-08T09:38:41.000Z", "id": "6715345", "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", "severity": 0, diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json index ad05f751cc02..38caeac80cb9 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json @@ -51,6 +51,7 @@ "extended": { "message": "Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - -" }, + "host": "PRODSY3VPX01", "name": "HTTPREQUEST" }, "citrix_adc": { @@ -65,7 +66,7 @@ }, "session_id": "22569", "sso_status": "ON", - "timestamp": "30/10/2024:13:52:44", + "timestamp": "2024-10-30T13:52:44.000Z", "user": "fbueller", "username": "fbueller", "vserver": { @@ -93,7 +94,7 @@ "id": "72251252", "original": "<134> 30/10/2024:13:52:44 PRODSY3VPX01 0-PPE-0 : default SSLVPN HTTPREQUEST 72251252 0 : Context fbueller@1.128.65.1 - SessionId: 22569 - work.remote.example.com User fbueller : Group(s) N/A : Vserver 192.168.65.54:443 - 30/10/2024:13:52:44 : SSO is ON : GET /Citrix/SY3-STOREWeb/custom/style.css - -", "severity": 0, - "timezone": "PRODSY3VPX01", + "timezone": "UTC", "type": [ "info" ] diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log index 636b3fc957ec..00517bea3477 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log @@ -105,5 +105,6 @@ Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : S Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command "scp file.txt" - Status "Success" Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 -Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - - -Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - - +<134> 07/12/2024:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre - - +<134> 07/12/2024:05:54:39 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 1529 0 : Context user.name@81.2.69.145 - SessionId: 756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:37 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - - +<134> 22/06/2015:16:07:49 PRODSYSTEM0 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusern@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path- - - diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json index 035d876049e0..57ae0f908013 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -151,7 +151,7 @@ }, "citrix_adc": { "log": { - "delink_time": "10/06/2014:14:03:23", + "delink_time": "2014-10-06T14:03:23.000Z", "delink_timezone": "GMT", "destination": { "ip": "81.2.69.144", @@ -201,7 +201,7 @@ "category": [ "network" ], - "end": "10/06/2014:14:03:23", + "end": "2014-10-06T14:03:23.000Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", "severity": 0, @@ -259,14 +259,14 @@ "ip": "192.168.10.51", "port": 35341 }, - "end_time": "10/06/2014:14:03:30", + "end_time": "2014-10-06T14:03:30.000Z", "end_time_timezone": "GMT", "message": "Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "source": { "ip": "192.168.10.35", "port": 80 }, - "start_time": "10/06/2014:14:02:43", + "start_time": "2014-10-06T14:02:43.000Z", "start_time_timezone": "GMT", "total_bytes_received": 1, "total_bytes_send": 1 @@ -299,11 +299,11 @@ "category": [ "network" ], - "end": "10/06/2014:14:03:30", + "end": "2014-10-06T14:03:30.000Z", "id": "4472", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, - "start": "10/06/2014:14:02:43", + "start": "2014-10-06T14:02:43.000Z", "timezone": "GMT", "type": [ "end", @@ -351,14 +351,14 @@ "ip": "127.0.0.2", "port": 55623 }, - "end_time": "10/06/2014:14:03:30", + "end_time": "2014-10-06T14:03:30.000Z", "end_time_timezone": "GMT", "message": "Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "source": { "ip": "127.0.0.1", "port": 7776 }, - "start_time": "10/06/2014:14:02:45", + "start_time": "2014-10-06T14:02:45.000Z", "start_time_timezone": "GMT", "total_bytes_received": 1, "total_bytes_send": 1 @@ -391,11 +391,11 @@ "category": [ "network" ], - "end": "10/06/2014:14:03:30", + "end": "2014-10-06T14:03:30.000Z", "id": "4473", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, - "start": "10/06/2014:14:02:45", + "start": "2014-10-06T14:02:45.000Z", "timezone": "GMT", "type": [ "end", @@ -443,14 +443,14 @@ "ip": "127.0.0.2", "port": 39771 }, - "end_time": "10/06/2014:14:03:30", + "end_time": "2014-10-06T14:03:30.000Z", "end_time_timezone": "GMT", "message": "Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "source": { "ip": "127.0.0.1", "port": 80 }, - "start_time": "10/06/2014:14:02:46", + "start_time": "2014-10-06T14:02:46.000Z", "start_time_timezone": "GMT", "total_bytes_received": 1, "total_bytes_send": 1 @@ -483,11 +483,11 @@ "category": [ "network" ], - "end": "10/06/2014:14:03:30", + "end": "2014-10-06T14:03:30.000Z", "id": "4474", "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, - "start": "10/06/2014:14:02:46", + "start": "2014-10-06T14:02:46.000Z", "timezone": "GMT", "type": [ "end", @@ -531,7 +531,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2022/06/14:16:05:04", + "delink_time": "2022-06-14T16:05:04.000Z", "delink_timezone": "GMT", "destination": { "ip": "1.128.0.0", @@ -581,7 +581,7 @@ "category": [ "network" ], - "end": "2022/06/14:16:05:04", + "end": "2022-06-14T16:05:04.000Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", "severity": 0, @@ -640,13 +640,13 @@ "ip": "1.128.0.0", "port": 80 }, - "end_time": "2023-04-01T11:05:00.000Z", + "end_time": "2023-04-01T11:05:00Z", "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", "source": { "ip": "192.168.1.100", "port": 12345 }, - "start_time": "2023-04-01T11:00:00.000Z", + "start_time": "2023-04-01T11:00:00Z", "total_bytes_received": 102400, "total_bytes_send": 51200 } @@ -678,11 +678,11 @@ "category": [ "network" ], - "end": "2023-04-01T11:05:00.000Z", + "end": "2023-04-01T11:05:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", "severity": 0, - "start": "2023-04-01T11:00:00.000Z", + "start": "2023-04-01T11:00:00Z", "timezone": "GMT", "type": [ "end", @@ -726,7 +726,7 @@ }, "citrix_adc": { "log": { - "delink_time": "2023-04-01T12:00:00.000Z", + "delink_time": "2023-04-01T12:00:00Z", "delink_timezone": "GMT", "destination": { "ip": "1.128.0.0", @@ -776,7 +776,7 @@ "category": [ "network" ], - "end": "2023-04-01T12:00:00.000Z", + "end": "2023-04-01T12:00:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400", "severity": 0, @@ -832,7 +832,7 @@ "citrix_adc": { "log": { "closure_reason": "Client Reset", - "delink_time": "2023-04-01T11:05:00.000Z", + "delink_time": "2023-04-01T11:05:00Z", "delink_timezone": "GMT", "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", "nat": { @@ -847,7 +847,7 @@ "ip": "192.168.1.100", "port": 12345 }, - "start_time": "2023-04-01T11:00:00.000Z", + "start_time": "2023-04-01T11:00:00Z", "total_bytes_received": 153600, "total_bytes_send": 102400, "translated_destination": { @@ -883,12 +883,12 @@ "category": [ "network" ], - "end": "2023-04-01T11:05:00.000Z", + "end": "2023-04-01T11:05:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", "reason": "Client Reset", "severity": 0, - "start": "2023-04-01T11:00:00.000Z", + "start": "2023-04-01T11:00:00Z", "timezone": "GMT", "type": [ "end", @@ -937,7 +937,7 @@ "citrix_adc": { "log": { "closure_reason": "Timeout", - "delink_time": "2023-04-01T11:05:00.000Z", + "delink_time": "2023-04-01T11:05:00Z", "delink_timezone": "GMT", "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", "nat": { @@ -952,7 +952,7 @@ "ip": "192.168.1.100", "port": 12345 }, - "start_time": "2023-04-01T11:00:00.000Z", + "start_time": "2023-04-01T11:00:00Z", "total_bytes_received": 153600, "total_bytes_send": 102400, "translated_destination": { @@ -988,12 +988,12 @@ "category": [ "network" ], - "end": "2023-04-01T11:05:00.000Z", + "end": "2023-04-01T11:05:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", "reason": "Timeout", "severity": 0, - "start": "2023-04-01T11:00:00.000Z", + "start": "2023-04-01T11:00:00Z", "timezone": "GMT", "type": [ "end", @@ -2299,7 +2299,7 @@ "compression_ratio_recieved": 70.0, "compression_ratio_send": 50.0, "duration": "00:00:04", - "end_time": "2023-04-01T12:00:00.000Z", + "end_time": "2023-04-01T12:00:00Z", "groups": "HR,Finance", "http_resources_accessed": "15", "logout_method": "Timeout", @@ -2308,7 +2308,7 @@ "ip": "10.0.0.51" }, "non_http_services_accessed": "5", - "start_time": "2023-04-01T08:00:00.000Z", + "start_time": "2023-04-01T08:00:00Z", "total_bytes_received": 500, "total_bytes_send": 1, "total_compressed_bytes_recieved": 350, @@ -2337,11 +2337,11 @@ "category": [ "authentication" ], - "end": "2023-04-01T12:00:00.000Z", + "end": "2023-04-01T12:00:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGOUT 4471 0 : User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"", "severity": 0, - "start": "2023-04-01T08:00:00.000Z", + "start": "2023-04-01T08:00:00Z", "timezone": "GMT", "type": [ "info" @@ -2415,7 +2415,7 @@ "address": "10.0.0.52", "port": 443 }, - "start_time": "2023-04-01T09:00:00.000Z", + "start_time": "2023-04-01T09:00:00Z", "username": "someusername" } }, @@ -2448,7 +2448,7 @@ "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICASTART 4471 0 : Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c", "severity": 0, - "start": "2023-04-01T09:00:00.000Z", + "start": "2023-04-01T09:00:00Z", "timezone": "GMT", "type": [ "info" @@ -2508,7 +2508,7 @@ }, "domain_name": "example.domain.com", "duration": "00:01:04", - "end_time": "2023-04-01T09:45:00.000Z", + "end_time": "2023-04-01T09:45:00Z", "message": "Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", "source": { "ip": "192.168.1.53", @@ -2518,7 +2518,7 @@ "address": "10.0.0.53", "port": 443 }, - "start_time": "2023-04-01T09:00:00.000Z", + "start_time": "2023-04-01T09:00:00Z", "total_bytes_received": 250000, "total_bytes_send": 500000, "total_compressed_bytes_recieved": 175000, @@ -2553,11 +2553,11 @@ "category": [ "authentication" ], - "end": "2023-04-01T09:45:00.000Z", + "end": "2023-04-01T09:45:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", "severity": 0, - "start": "2023-04-01T09:00:00.000Z", + "start": "2023-04-01T09:00:00Z", "timezone": "GMT", "type": [ "info" @@ -2617,7 +2617,7 @@ "port": 22 }, "duration": "00:02:04", - "end_time": "2023-04-01T11:00:00.000Z", + "end_time": "2023-04-01T11:00:00Z", "groups": "Developers,QA", "message": "User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", "nat": { @@ -2627,7 +2627,7 @@ "ip": "192.168.1.55", "port": 443 }, - "start_time": "2023-04-01T10:00:00.000Z", + "start_time": "2023-04-01T10:00:00Z", "total_bytes_received": 400000, "total_bytes_send": 800000, "total_compressed_bytes_recieved": 280000, @@ -2654,11 +2654,11 @@ "category": [ "authentication" ], - "end": "2023-04-01T11:00:00.000Z", + "end": "2023-04-01T11:00:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONNSTAT 4471 0 : User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", "severity": 0, - "start": "2023-04-01T10:00:00.000Z", + "start": "2023-04-01T10:00:00Z", "timezone": "GMT", "type": [ "info" @@ -2807,7 +2807,7 @@ "port": 22 }, "duration": "00:03:04", - "end_time": "2023-04-01T15:00:00.000Z", + "end_time": "2023-04-01T15:00:00Z", "groups": "Management,Executives", "message": "User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", "nat": { @@ -2817,7 +2817,7 @@ "ip": "192.168.1.58", "port": 3389 }, - "start_time": "2023-04-01T14:00:00.000Z", + "start_time": "2023-04-01T14:00:00Z", "total_bytes_received": 600000, "total_bytes_send": 1200000, "user": "DianaPrince", @@ -2842,11 +2842,11 @@ "category": [ "authentication" ], - "end": "2023-04-01T15:00:00.000Z", + "end": "2023-04-01T15:00:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN UDPFLOWSTAT 4471 0 : User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", "severity": 0, - "start": "2023-04-01T14:00:00.000Z", + "start": "2023-04-01T14:00:00Z", "timezone": "GMT", "type": [ "info" @@ -6687,7 +6687,7 @@ "compression_ratio_recieved": 35.0, "compression_ratio_send": 50.0, "duration": "00:00:04", - "end_time": "2023-04-04T09:30:00.000Z", + "end_time": "2023-04-04T09:30:00Z", "groups": "HR,Finance", "http_resources_accessed": "20", "logout_method": "UserInitiated", @@ -6695,7 +6695,7 @@ "nat": { "ip": "10.0.0.2" }, - "start_time": "2023-04-04T08:30:00.000Z", + "start_time": "2023-04-04T08:30:00Z", "total_bytes_received": 50, "total_bytes_send": 3, "total_compressed_bytes_recieved": 500, @@ -6729,11 +6729,11 @@ "category": [ "network" ], - "end": "2023-04-04T09:30:00.000Z", + "end": "2023-04-04T09:30:00Z", "id": "4471", "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGOUT 4471 0 : User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"", "severity": 0, - "start": "2023-04-04T08:30:00.000Z", + "start": "2023-04-04T08:30:00Z", "timezone": "GMT", "type": [ "info" @@ -7908,7 +7908,7 @@ }, "session_id": "12690921", "sso_status": "ON", - "timestamp": "2022/06/14:16:07:48", + "timestamp": "2022-06-14T16:07:48.000Z", "user": "someusername", "username": "someusername", "vserver": { @@ -7997,7 +7997,7 @@ "path": "/Some/Url/Concealed" }, "session_id": "104248", - "timestamp": "07/07/2022:11:22:00", + "timestamp": "2022-07-07T11:22:00.000Z", "timezone": "GMT", "user": "some.email@company.com", "username": "another.email@company.com", @@ -8087,7 +8087,7 @@ }, "domain_name": "example.domain.com", "duration": "00:00:27", - "end_time": "2022/06/14:16:18:18", + "end_time": "2022-06-14T16:18:18.000Z", "message": "Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", "source": { "ip": "1.128.0.0", @@ -8097,7 +8097,7 @@ "address": "1.128.0.2", "port": 2598 }, - "start_time": "2022/06/14:16:17:51", + "start_time": "2022-06-14T16:17:51.000Z", "total_bytes_received": 36983, "total_bytes_send": 193250, "total_bytes_wire_recieved": "8320800952261094732", @@ -8134,11 +8134,11 @@ "category": [ "authentication" ], - "end": "2022/06/14:16:18:18", + "end": "2022-06-14T16:18:18.000Z", "id": "4471", "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", "severity": 0, - "start": "2022/06/14:16:17:51", + "start": "2022-06-14T16:17:51.000Z", "timezone": "GMT", "type": [ "info" @@ -8408,25 +8408,23 @@ { "citrix": { "cef_format": false, - "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", + "detail": "<134> 07/12/2024:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre - -", "device_event_class_id": "SSLVPN", "extended": { - "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -" + "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre - -" }, - "facility": "local0", "host": "ns", - "name": "HTTPREQUEST", - "priority": "info" + "name": "HTTPREQUEST" }, "citrix_adc": { "log": { "client_ip": "81.2.69.145", "groups": "N/A", "hostname": "citrix.example.com", - "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", + "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre - -", "method": "POST", "request": { - "path": "/Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre-" + "path": "/Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre" }, "session_id": "1756710", "sso_status": "ON", @@ -8461,8 +8459,8 @@ "category": [ "authentication" ], - "id": "152923587", - "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", + "id": "923587", + "original": "<134> 07/12/2024:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre - -", "severity": 0, "timezone": "GMT", "type": [ @@ -8504,29 +8502,27 @@ { "citrix": { "cef_format": false, - "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", + "detail": "<134> 07/12/2024:05:54:39 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 1529 0 : Context user.name@81.2.69.145 - SessionId: 756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:37 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", "device_event_class_id": "SSLVPN", "extended": { - "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -" + "message": "Context user.name@81.2.69.145 - SessionId: 756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:37 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -" }, - "facility": "local0", "host": "ns", - "name": "HTTPREQUEST", - "priority": "info" + "name": "HTTPREQUEST" }, "citrix_adc": { "log": { "client_ip": "81.2.69.145", "groups": "N/A", "hostname": "citrix.example.com", - "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", + "message": "Context user.name@81.2.69.145 - SessionId: 756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:37 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", "method": "POST", "request": { "path": "/Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre-" }, - "session_id": "1756710", + "session_id": "756710", "sso_status": "ON", - "timestamp": "2024-07-12T06:54:39.000Z", + "timestamp": "2024-07-12T06:54:37.000Z", "user": "user.name", "username": "user.name", "vserver": { @@ -8557,8 +8553,8 @@ "category": [ "authentication" ], - "id": "152923587", - "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context user.name@81.2.69.145 - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", + "id": "1529", + "original": "<134> 07/12/2024:05:54:39 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 1529 0 : Context user.name@81.2.69.145 - SessionId: 756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:37 : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", "severity": 0, "timezone": "GMT", "type": [ @@ -8596,6 +8592,94 @@ "user": { "name": "user.name" } + }, + { + "citrix": { + "cef_format": false, + "detail": "<134> 22/06/2015:16:07:49 PRODSYSTEM0 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusern@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path- - -", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Context someusern@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path- - -" + }, + "host": "PRODSYSTEM0", + "name": "HTTPREQUEST" + }, + "citrix_adc": { + "log": { + "client_ip": "1.128.0.0", + "groups": "N/A", + "hostname": "example.domain.com", + "message": "Context someusern@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path- - -", + "method": "GET", + "request": { + "path": "/Citrix/Redacted/URL/Path-" + }, + "session_id": "12690921", + "sso_status": "ON", + "timestamp": "2022-06-14T16:07:48.000Z", + "user": "someusername", + "username": "someusern", + "vserver": { + "ip": "1.128.0.1", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "<134> 22/06/2015:16:07:49 PRODSYSTEM0 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusern@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path- - -", + "severity": 0, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "group": { + "name": "N/A" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.1", + "1.128.0.0" + ], + "user": [ + "someusern" + ] + }, + "server": { + "ip": "1.128.0.1", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "example.domain.com" + }, + "user": { + "name": "someusern" + } } ] } diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml index f73b9254af24..a243ba56d76f 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -97,12 +97,11 @@ processors: params.fields.forEach((field,date_formats) -> { def locale = Locale.ENGLISH; def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); - def parent = ctx._tmp; - if (!parent.containsKey(field)) { - return false; + if (!ctx._tmp.containsKey(field)) { + return true; } - def text = parent[field].trim(); + def text = ctx._tmp[field].trim(); def tz; def made = false; @@ -130,14 +129,16 @@ processors: def parsedDate; try { if (dateFormat == "ISO8601") { - parsedDate = ZonedDateTime.parse(text); + parsedDate = LocalDateTime.parse(text); } else if (dateFormat == "UNIX_MS") { - parsedDate = Instant.ofEpochMilli(Long.parseLong(text)).atZone(tz); + parsedDate = Instant.ofEpochMilli(Long.parseLong(text)); } else { def formatter = DateTimeFormatter.ofPattern(dateFormat); - parsedDate = ZonedDateTime.parse(text, formatter); + parsedDate = LocalDateTime.parse(text, formatter); } - parent[field] = printer.format(parsedDate); + // the first one that works is the one we take + ctx._tmp[field] = printer.format(parsedDate.atZone(tz)); + break; } catch (DateTimeParseException e) { // just pass through to the next format } @@ -145,7 +146,7 @@ processors: return true; }); - if: ctx?.citrix_adc?.log != null && ctx.citrix_adc.log instanceof Map + if: ctx?._tmp != null && ctx._tmp instanceof Map on_failure: - append: field: error.message diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml index c1915dc6d903..1c46a0f7e2f9 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml @@ -11,12 +11,16 @@ processors: field: citrix.detail patterns: - '^%{SPACE}%{HEADER_NOTIMEZONE} : %{DATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"' + - '^%{SPACE}%{HEADER_NOTIMEZONE} : %{DATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}' - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"' - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}' pattern_definitions: - HEADER_NOTIMEZONE: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}' - HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone}? (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}' + HEADER_NOTIMEZONE: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} (?: ?%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}' + HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native}( %{WORD:event.timezone})? (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}' NATIVE_TIMESTAMP: '(?:%{MONTHNUM}/%{MONTHDAY}/%{YEAR}|%{YEAR}/%{MONTHNUM}/%{MONTHDAY}|%{MONTHDAY}/%{MONTHNUM}/%{YEAR}):%{HOUR}:%{MINUTE}:%{SECOND}' + MonthNumber: '(?:%{MONTHNUM:event.date.month})' + MonthDayNum: '(?:%{MONTHDAY:event.date.day})' + YearNumber: '(?:%{YEAR:event.date.year})' - grok: description: Parse out details. tag: grok_tmp_details diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml index d8ec38397536..2aa0a6acb2b7 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml @@ -23,9 +23,90 @@ processors: - '^Session%{SPACE}id %{NUMBER:citrix_adc.log.session_id:int} - User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver_ip %{IP:citrix_adc.log.vserver.ip} - Errmsg \"%{DATA:citrix_adc.log.errmsg}\"$' - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type \"%{DATA:citrix_adc.log.browser_type}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{DATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{DATA:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{DATA:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{DATA:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{DATA:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod \"%{DATA:citrix_adc.log.logout_method}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' - - '^Context %{USERNAME:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip} - SessionId: %{NUMBER:citrix_adc.log.session_id} - %{HOSTNAME:citrix_adc.log.hostname} User %{USERNAME:citrix_adc.log.user}%{SPACE}?: Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} : SSO is %{WORD:citrix_adc.log.sso_status} : %{WORD:citrix_adc.log.method} %{URIPATHPARAM:citrix_adc.log.request.path} - -$' - - '^Context %{DATA:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip}%{SPACE}- SessionId: %{NUMBER:citrix_adc.log.session_id}%{SPACE}?- %{HOSTNAME:citrix_adc.log.hostname} User %{DATA:citrix_adc.log.user} : Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} %{DATA:citrix_adc.log.timezone} %{WORD:citrix_adc.log.method} %{DATA:citrix_adc.log.request.path} - -$' + - '^Context %{UserAtIp} ?- SessionId: %{NUMBER:citrix_adc.log.session_id} ?- %{HOSTNAME:citrix_adc.log.hostname} User %{DATA:citrix_adc.log.user} ?: Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} : SSO is %{WORD:citrix_adc.log.sso_status} : %{WORD:citrix_adc.log.method} %{DATA:citrix_adc.log.request.path} - -$' + - '^Context %{UserAtIp} ?- SessionId: %{NUMBER:citrix_adc.log.session_id} ?- %{HOSTNAME:citrix_adc.log.hostname} User %{DATA:citrix_adc.log.user} : Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} %{WORD:citrix_adc.log.timezone} %{WORD:citrix_adc.log.method} %{DATA:citrix_adc.log.request.path} - -$' + pattern_definitions: + UserAtIp: '(?:%{DATA:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip})' + UserChoice: '(?:%{UserAtIp})' ignore_failure: false + + - script: + description: Convert multiple fields via custom format + tag: date_start_end_timestamp_custom_format + lang: painless + params: + fields: + timestamp: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss z + - yyyy/MM/dd:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss z + - dd/MM/yyyy:HH:mm:ss + - dd/MM/yyyy:HH:mm:ss z + + start_time: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - ISO8601 + - dd/MM/yyyy:HH:mm:ss + + end_time: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - ISO8601 + - dd/MM/yyyy:HH:mm:ss + + source: >- + + params.fields.forEach((field,date_formats) -> { + def locale = Locale.ENGLISH; + def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); + def tz = ZoneOffset.UTC; + + if (!ctx.citrix_adc.log.containsKey(field)) { + return true; + } + + def text = ctx.citrix_adc.log[field].trim(); + + printer = printer.withZone(tz); + def formats = []; + if (ctx._conf instanceof Map && ctx._conf.containsKey("custom_date_format")) { + formats.add(ctx._conf.custom_date_format); + } + formats.addAll(date_formats); + + for (format in formats) { + def dateFormat = format.trim(); + def parsedDate; + try { + if (dateFormat == "ISO8601") { + parsedDate = LocalDateTime.parse(text); + } else if (dateFormat == "UNIX_MS") { + parsedDate = Instant.ofEpochMilli(Long.parseLong(text)); + } else { + def formatter = DateTimeFormatter.ofPattern(dateFormat); + parsedDate = LocalDateTime.parse(text, formatter); + } + // the first one that works is the one we take + ctx.citrix_adc.log[field] = printer.format(parsedDate.atZone(tz)); + break; + } catch (DateTimeParseException e) { + // just pass through to the next format + } + } + return true; + }); + + if: ctx?.citrix_adc?.log != null && ctx.citrix_adc.log instanceof Map + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}.' + + + - convert: field: citrix_adc.log.client_ip tag: convert_client_ip_to_ip @@ -95,76 +176,6 @@ processors: copy_from: citrix_adc.log.errmsg ignore_empty_value: true - - script: - description: Convert multiple fields via custom format - tag: date_start_end_timestamp_custom_format - lang: painless - params: - fields: - timestamp: - - ISO8601 - - MM/dd/yyyy:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss z - - yyyy/MM/dd:HH:mm:ss - - yyyy/MM/dd:HH:mm:ss z - - start_time: - - yyyy/MM/dd:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss - - ISO8601 - - end_time: - - yyyy/MM/dd:HH:mm:ss - - MM/dd/yyyy:HH:mm:ss - - ISO8601 - - source: >- - def locale = Locale.ENGLISH; - def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); - def tz = ZoneOffset.UTC; - printer = printer.withZone(tz); - - def parent = ctx.citrix_adc.log; - params.fields.forEach((field,date_formats) -> { - if (!parent.containsKey(field)) { - return true; - } - def text = parent[field].trim(); - parent[field] = text; - - def formats = []; - if (ctx._conf instanceof Map && ctx._conf.containsKey("custom_date_format")) { - formats.add(ctx._conf.custom_date_format); - } - formats.addAll(date_formats); - - for (format in formats) { - def dateFormat = format.trim(); - def parsedDate; - try { - if (dateFormat == "ISO8601") { - parsedDate = ZonedDateTime.parse(text); - } else if (dateFormat == "UNIX_MS") { - parsedDate = Instant.ofEpochMilli(Long.parseLong(text)).atZone(tz); - } else { - def formatter = DateTimeFormatter.ofPattern(dateFormat); - parsedDate = ZonedDateTime.parse(text, formatter); - } - ctx.citrix_adc.log[field] = printer.format(parsedDate); - } catch (DateTimeParseException e) { - // just pass through to the next format - } - } - return true; - }); - - if: ctx?.citrix_adc?.log != null && ctx.citrix_adc.log instanceof Map - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}. Offending format: {{{_conf.custom_date_format}}}.' - - - set: field: event.end tag: set_event_end_from_end_time diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml index 7edd8374e5b6..0f9476e47ebf 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml @@ -153,18 +153,17 @@ processors: params.fields.forEach((field,date_formats) -> { def locale = Locale.ENGLISH; def printer = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSXXX", locale); - def parent = ctx.citrix_adc.log; - if (!parent.containsKey(field)) { - return false; + if (!ctx.citrix_adc.log.containsKey(field)) { + return true; } - def text = parent[field].trim(); + def text = ctx.citrix_adc.log[field].trim(); def tz; def made = false; - if (parent.containsKey(field + "_timezone")) { + if (ctx.citrix_adc.log.containsKey(field + "_timezone")) { try { - tz = ZoneId.of(parent[field + "_timezone"]); + tz = ZoneId.of(ctx.citrix_adc.log[field + "_timezone"]); made = true; } catch (Exception e) { // @@ -194,14 +193,16 @@ processors: def parsedDate; try { if (dateFormat == "ISO8601") { - parsedDate = ZonedDateTime.parse(text); + parsedDate = LocalDateTime.parse(text); } else if (dateFormat == "UNIX_MS") { - parsedDate = Instant.ofEpochMilli(Long.parseLong(text)).atZone(tz); + parsedDate = Instant.ofEpochMilli(Long.parseLong(text)); } else { def formatter = DateTimeFormatter.ofPattern(dateFormat); - parsedDate = ZonedDateTime.parse(text, formatter); + parsedDate = LocalDateTime.parse(text, formatter); } - parent[field] = printer.format(parsedDate); + // the first one that works is the one we take + ctx.citrix_adc.log[field] = printer.format(parsedDate.atZone(tz)); + break; } catch (DateTimeParseException e) { // just pass through to the next format } From 5c6f46403724b7299d3cdce12c7550983f593397 Mon Sep 17 00:00:00 2001 From: mo Date: Thu, 31 Oct 2024 15:46:00 -0400 Subject: [PATCH 5/5] unknown problems, hail-mary solutions --- .../test-citrix-native-with-delink.json | 20 ------- ...-citrix-native-with-delink.json-config.yml | 6 --- .../test-citrix-native-with-delink.log | 4 ++ ...t-citrix-native-with-delink.log-config.yml | 9 ++++ ...trix-native-with-delink.log-expected.json} | 54 ++++++++++++++----- .../test/pipeline/test-citrix-native.json | 16 ------ .../_dev/test/pipeline/test-citrix-native.log | 3 ++ ...n => test-citrix-native.log-expected.json} | 15 +++--- 8 files changed, 62 insertions(+), 65 deletions(-) delete mode 100644 packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json delete mode 100644 packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-config.yml create mode 100644 packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log create mode 100644 packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-config.yml rename packages/citrix_adc/data_stream/log/_dev/test/pipeline/{test-citrix-native-with-delink.json-expected.json => test-citrix-native-with-delink.log-expected.json} (71%) delete mode 100644 packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json create mode 100644 packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log rename packages/citrix_adc/data_stream/log/_dev/test/pipeline/{test-citrix-native.json-expected.json => test-citrix-native.log-expected.json} (75%) diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json deleted file mode 100644 index 55187508091b..000000000000 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2024-08-10T09:38:41.000Z", - "message": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n" - }, - { - "@timestamp": "2024-08-10:38:41.000Z", - "message": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n" - }, - { - "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n" - }, - { - "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n" - } - ] -} diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-config.yml deleted file mode 100644 index a483e20a6118..000000000000 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-config.yml +++ /dev/null @@ -1,6 +0,0 @@ -fields: - tags: - - preserve_original_event - - preserve_duplicate_custom_fields - _conf: - custom_date_format: "dd/MM/yyyy:HH:mm:ss" diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log new file mode 100644 index 000000000000..d10231c3e61a --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log @@ -0,0 +1,4 @@ + <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 + <131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118 + <123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 + <131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118 diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-config.yml new file mode 100644 index 000000000000..53ae73e78168 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-config.yml @@ -0,0 +1,9 @@ +fields: + tags: + - preserve_original_event + _conf: + custom_date_format: "dd/MM/yyyy:HH:mm:ss" +dynamic_fields: + # This can be removed after ES 8.14 is the minimum version. + # Relates: https://github.com/elastic/elasticsearch/pull/105689 + url.extension: '^.*$' diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-expected.json similarity index 71% rename from packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json rename to packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-expected.json index 6bca1a031c34..725445d3f49c 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native-with-delink.log-expected.json @@ -1,23 +1,39 @@ { "expected": [ { - "@timestamp": "2024-08-10T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", + "detail": " <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1", "device_event_class_id": "TCP", "extended": { - "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 " + "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1" }, "host": "SYSLOGHOST", "name": "CONN_TERMINATE" }, "citrix_adc": { "log": { - "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 " + "destination": { + "ip": "127.1.1.2", + "port": 20714 + }, + "end_time": "2024-08-10T09:38:41.000Z", + "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1", + "source": { + "ip": "127.1.2.1", + "port": 80 + }, + "start_time": "2024-08-10T09:37:54.000Z", + "total_bytes_received": 1, + "total_bytes_send": 1 } }, + "destination": { + "bytes": 1, + "ip": "127.1.1.2", + "port": 20714 + }, "ecs": { "version": "8.11.0" }, @@ -25,9 +41,11 @@ "category": [ "network" ], + "end": "2024-08-10T09:38:41.000Z", "id": "6715345", - "original": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", + "original": " <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1", "severity": 0, + "start": "2024-08-10T09:37:54.000Z", "timezone": "UTC", "type": [ "end", @@ -39,17 +57,27 @@ "type": "firewall", "vendor": "Citrix" }, + "related": { + "ip": [ + "127.1.2.1", + "127.1.1.2" + ] + }, + "source": { + "bytes": 1, + "ip": "127.1.2.1", + "port": 80 + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" ] }, { - "@timestamp": "2024-08-10:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", + "detail": " <131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", "device_event_class_id": "TCP", "extended": { "message": "Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118" @@ -95,7 +123,7 @@ ], "end": "2024-08-10T09:38:41.000Z", "id": "6715345", - "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", + "original": " <131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", "severity": 0, "timezone": "UTC", "type": [ @@ -134,11 +162,10 @@ ] }, { - "@timestamp": "2024-08-21T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", + "detail": " <123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", "device_event_class_id": "TCP", "extended": { "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 " @@ -159,7 +186,7 @@ "network" ], "id": "6715345", - "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", + "original": " <123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", "severity": 0, "timezone": "UTC", "type": [ @@ -178,11 +205,10 @@ ] }, { - "@timestamp": "2024-08-21T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", + "detail": " <131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", "device_event_class_id": "TCP", "extended": { "message": "Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118" @@ -228,7 +254,7 @@ ], "end": "2024-08-21T09:38:41.000Z", "id": "6715345", - "original": "<131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", + "original": " <131> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 21/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", "severity": 0, "timezone": "UTC", "type": [ diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json deleted file mode 100644 index 0d7f0768aade..000000000000 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2024-08-10T09:38:41.000Z", - "message": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n" - }, - { - "@timestamp": "2024-08-10T09:38:41.000Z", - "message": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n" - }, - { - "@timestamp": "2024-08-21T09:38:41.000Z", - "message": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n" - } - ] -} \ No newline at end of file diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log new file mode 100644 index 000000000000..155198e943ef --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log @@ -0,0 +1,3 @@ + <131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118 + <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 + <123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log-expected.json similarity index 75% rename from packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json rename to packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log-expected.json index fe8f0d681351..0e1741c2eeef 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.log-expected.json @@ -1,11 +1,10 @@ { "expected": [ { - "@timestamp": "2024-08-10T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", + "detail": " <131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", "device_event_class_id": "TCP", "extended": { "message": "Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118" @@ -51,7 +50,7 @@ ], "end": "2024-10-08T09:38:41.000Z", "id": "6715345", - "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n", + "original": " <131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118", "severity": 0, "timezone": "UTC", "type": [ @@ -90,11 +89,10 @@ ] }, { - "@timestamp": "2024-08-10T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", + "detail": " <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", "device_event_class_id": "TCP", "extended": { "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 " @@ -115,7 +113,7 @@ "network" ], "id": "6715345", - "original": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", + "original": " <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", "severity": 0, "timezone": "UTC", "type": [ @@ -134,11 +132,10 @@ ] }, { - "@timestamp": "2024-08-21T09:38:41.000Z", "citrix": { "cef_format": false, "default_class": true, - "detail": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", + "detail": " <123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", "device_event_class_id": "TCP", "extended": { "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 " @@ -159,7 +156,7 @@ "network" ], "id": "6715345", - "original": "<123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n", + "original": " <123> 21/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 21/08/2024:09:37:54 - End Time 21/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ", "severity": 0, "timezone": "UTC", "type": [