Merge branch 'main' into kafka-docs-update

Author: stefans-elastic

packages/citrix_adc/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.17.2"
+ changes:
+ - description: "Fix grok processing for HTTPREQUEST and UDPFLOWSTAT in sslvpn_and_aaatm_feature pipeline with optional patterns."
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15378
 - version: "1.17.1"
  changes:
  - description: "Fix Grok processing for LOGOUT and HTTPREQUEST event types in sslvpn_and_aaatm_feature pipeline."

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log

@@ -0,0 +1,2 @@
+<134> 11/18/2024:11:11:00 GMT DCLVNSGP001 0-PPE-1 : default SSLVPN HTTPREQUEST 12345678 0 : [TECHSUPPORT][ENUMERATION] some.url.com User some@url.com : Group(s) N/A : Vserver 0.0.0.0:300 - 09/04/2025:18:24:45 GMT : Message = SSO is OFF : GET /path/path.xml - -
+<134> 09/04/2025:18:24:36 GMT DCLVNSGP001 0-PPE-6 : default SSLVPN UDPFLOWSTAT 58680561 0 : [TECHSUPPORT] User username.example.com - Client_ip 175.16.199.1 - Nat_ip 89.160.20.129 - Vserver 67.43.156.1:443 - Source 81.2.69.194:63685 - Destination 1.128.0.1:53 - Start_time "09/09/2024:20:44:03 GMT" - End_time "09/09/2024:20:46:06 GMT" - Duration 00:05:53 - Total_bytes_send 656 - Total_bytes_recv 2456 - Access Allowed - Group(s) "N/A"

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json

@@ -0,0 +1,221 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2024-11-18T11:11:00.000Z",
+ "citrix": {
+ "cef_format": false,
+ "default_class": true,
+ "detail": "<134> 11/18/2024:11:11:00 GMT DCLVNSGP001 0-PPE-1 : default SSLVPN HTTPREQUEST 12345678 0 : [TECHSUPPORT][ENUMERATION] some.url.com User some@url.com : Group(s) N/A : Vserver 0.0.0.0:300 - 09/04/2025:18:24:45 GMT : Message = SSO is OFF : GET /path/path.xml - -",
+ "device_event_class_id": "SSLVPN",
+ "extended": {
+ "message": "[TECHSUPPORT][ENUMERATION] some.url.com User some@url.com : Group(s) N/A : Vserver 0.0.0.0:300 - 09/04/2025:18:24:45 GMT : Message = SSO is OFF : GET /path/path.xml - -"
+ },
+ "host": "DCLVNSGP001",
+ "name": "HTTPREQUEST"
+ },
+ "citrix_adc": {
+ "log": {
+ "groups": "N/A",
+ "hostname": "some.url.com",
+ "message": "[TECHSUPPORT][ENUMERATION] some.url.com User some@url.com : Group(s) N/A : Vserver 0.0.0.0:300 - 09/04/2025:18:24:45 GMT : Message = SSO is OFF : GET /path/path.xml - -",
+ "method": "GET",
+ "request": {
+ "path": "/path/path.xml"
+ },
+ "sso_status": "OFF",
+ "timestamp": "2025-09-04T18:24:45.000Z",
+ "timezone": "GMT",
+ "user": "some@url.com",
+ "vserver": {
+ "ip": "0.0.0.0",
+ "port": 300
+ }
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "authentication"
+ ],
+ "id": "12345678",
+ "kind": "event",
+ "original": "<134> 11/18/2024:11:11:00 GMT DCLVNSGP001 0-PPE-1 : default SSLVPN HTTPREQUEST 12345678 0 : [TECHSUPPORT][ENUMERATION] some.url.com User some@url.com : Group(s) N/A : Vserver 0.0.0.0:300 - 09/04/2025:18:24:45 GMT : Message = SSO is OFF : GET /path/path.xml - -",
+ "severity": 0,
+ "timezone": "GMT",
+ "type": [
+ "info"
+ ]
+ },
+ "group": {
+ "name": "N/A"
+ },
+ "observer": {
+ "hostname": "DCLVNSGP001",
+ "product": "Netscaler",
+ "type": "firewall",
+ "vendor": "Citrix"
+ },
+ "related": {
+ "ip": [
+ "0.0.0.0"
+ ],
+ "user": [
+ "some",
+ "some@url.com"
+ ]
+ },
+ "server": {
+ "ip": "0.0.0.0",
+ "port": 300
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "url": {
+ "domain": "some.url.com"
+ },
+ "user": {
+ "domain": "url.com",
+ "email": "some@url.com",
+ "name": "some"
+ }
+ },
+ {
+ "@timestamp": "2025-09-04T18:24:36.000Z",
+ "citrix": {
+ "cef_format": false,
+ "default_class": true,
+ "detail": "<134> 09/04/2025:18:24:36 GMT DCLVNSGP001 0-PPE-6 : default SSLVPN UDPFLOWSTAT 58680561 0 : [TECHSUPPORT] User username.example.com - Client_ip 175.16.199.1 - Nat_ip 89.160.20.129 - Vserver 67.43.156.1:443 - Source 81.2.69.194:63685 - Destination 1.128.0.1:53 - Start_time \"09/09/2024:20:44:03 GMT\" - End_time \"09/09/2024:20:46:06 GMT\" - Duration 00:05:53 - Total_bytes_send 656 - Total_bytes_recv 2456 - Access Allowed - Group(s) \"N/A\"",
+ "device_event_class_id": "SSLVPN",
+ "extended": {
+ "message": "[TECHSUPPORT] User username.example.com - Client_ip 175.16.199.1 - Nat_ip 89.160.20.129 - Vserver 67.43.156.1:443 - Source 81.2.69.194:63685 - Destination 1.128.0.1:53 - Start_time \"09/09/2024:20:44:03 GMT\" - End_time \"09/09/2024:20:46:06 GMT\" - Duration 00:05:53 - Total_bytes_send 656 - Total_bytes_recv 2456 - Access Allowed - Group(s) \"N/A\""
+ },
+ "host": "DCLVNSGP001",
+ "name": "UDPFLOWSTAT"
+ },
+ "citrix_adc": {
+ "log": {
+ "access": "Allowed",
+ "client_ip": "175.16.199.1",
+ "destination": {
+ "ip": "1.128.0.1",
+ "port": 53
+ },
+ "duration": "00:05:53 ",
+ "end_time": "2024-09-09T20:46:06.000Z",
+ "groups": "N/A",
+ "message": "[TECHSUPPORT] User username.example.com - Client_ip 175.16.199.1 - Nat_ip 89.160.20.129 - Vserver 67.43.156.1:443 - Source 81.2.69.194:63685 - Destination 1.128.0.1:53 - Start_time \"09/09/2024:20:44:03 GMT\" - End_time \"09/09/2024:20:46:06 GMT\" - Duration 00:05:53 - Total_bytes_send 656 - Total_bytes_recv 2456 - Access Allowed - Group(s) \"N/A\"",
+ "nat": {
+ "ip": "89.160.20.129"
+ },
+ "source": {
+ "ip": "81.2.69.194",
+ "port": 63685
+ },
+ "start_time": "2024-09-09T20:44:03.000Z",
+ "total_bytes_received": 2456,
+ "total_bytes_send": 656,
+ "user": "username.example.com",
+ "vserver": {
+ "ip": "67.43.156.1",
+ "port": 443
+ }
+ }
+ },
+ "client": {
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1"
+ },
+ "destination": {
+ "bytes": 2456,
+ "ip": "1.128.0.1",
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "authentication"
+ ],
+ "duration": 123000000000,
+ "end": "2024-09-09T20:46:06.000Z",
+ "id": "58680561",
+ "kind": "event",
+ "original": "<134> 09/04/2025:18:24:36 GMT DCLVNSGP001 0-PPE-6 : default SSLVPN UDPFLOWSTAT 58680561 0 : [TECHSUPPORT] User username.example.com - Client_ip 175.16.199.1 - Nat_ip 89.160.20.129 - Vserver 67.43.156.1:443 - Source 81.2.69.194:63685 - Destination 1.128.0.1:53 - Start_time \"09/09/2024:20:44:03 GMT\" - End_time \"09/09/2024:20:46:06 GMT\" - Duration 00:05:53 - Total_bytes_send 656 - Total_bytes_recv 2456 - Access Allowed - Group(s) \"N/A\"",
+ "severity": 0,
+ "start": "2024-09-09T20:44:03.000Z",
+ "timezone": "GMT",
+ "type": [
+ "info"
+ ]
+ },
+ "group": {
+ "name": "N/A"
+ },
+ "observer": {
+ "hostname": "DCLVNSGP001",
+ "product": "Netscaler",
+ "type": "firewall",
+ "vendor": "Citrix"
+ },
+ "related": {
+ "ip": [
+ "81.2.69.194",
+ "1.128.0.1",
+ "89.160.20.129",
+ "67.43.156.1",
+ "175.16.199.1"
+ ],
+ "user": [
+ "username.example.com"
+ ]
+ },
+ "server": {
+ "ip": "67.43.156.1",
+ "port": 443
+ },
+ "source": {
+ "bytes": 656,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.194",
+ "nat": {
+ "ip": "89.160.20.129"
+ },
+ "port": 63685
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "username.example.com"
+ }
+ }
+ ]
+}

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json

@@ -8963,11 +8963,12 @@
  "groups": "N/A",
  "hostname": "citrix.example.com",
  "message": "Context user.name@81.2.69.145 - SessionId: 1756710 - [TECHSUPPORT][ENUMERATION] citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : Message = SSO is OFF : POST /TEST/.test - -",
- "method": "Message",
+ "method": "POST",
  "request": {
- "path": "= SSO is OFF : POST /TEST/.test"
+ "path": "/TEST/.test"
  },
  "session_id": "1756710",
+ "sso_status": "OFF",
  "timestamp": "2024-07-12T06:54:39.000Z",
  "timezone": "GMT",
  "user": "user.name",

packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml

@@ -75,7 +75,7 @@ processors:
  field: citrix.extended.message
  patterns:
  - '^User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"${DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$'
- - '^Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - \[%{DATA}\] User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"${DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$'
+ - '^(Context %{DATA:citrix_adc.log.username}@%{IP} - SessionId: %{NUMBER:citrix_adc.log.session_id} - )?(\[%{DATA}\] )?User %{DATA:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip (%{IP:citrix_adc.log.nat.ip}|"${DATA}") - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time "%{DATA:_tmp.start_time}" - End_time "%{GREEDYDATA:_tmp.end_time}" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) "%{DATA:citrix_adc.log.groups}" ?$'
 
  - grok:
  tag: grok_sslvpn_httprequest
@@ -91,7 +91,7 @@ processors:
  REQUEST_INFO: "%{WORD:citrix_adc.log.method} %{DATA:citrix_adc.log.request.path} - -"
  TIMESTAMP_TZ: "%{DATA:_tmp.timestamp} %{DATA:citrix_adc.log.timezone}"
  patterns:
- - '^%{CONTEXT_INFO} %{TECH_SUPPORT}%{HOST_USER_GROUP} : %{VSERVER_INFO} - %{DATA:_tmp.timestamp}(?: %{WORD:citrix_adc.log.timezone})?(?: : SSO is %{WORD:citrix_adc.log.sso_status})? : %{REQUEST_INFO} ?$'
+ - '^(?:%{CONTEXT_INFO} )?%{TECH_SUPPORT}%{HOST_USER_GROUP} : %{VSERVER_INFO} - %{DATA:_tmp.timestamp}(?: %{WORD:citrix_adc.log.timezone})?(?: : (?:Message = )?SSO is %{WORD:citrix_adc.log.sso_status})? : %{REQUEST_INFO} ?$'
  - '^%{CONTEXT_INFO} %{TECH_SUPPORT}%{HOST_USER_GROUP} : %{VSERVER_INFO} - %{TIMESTAMP_TZ} %{REQUEST_INFO} ?$'
 
  - grok:

packages/citrix_adc/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: citrix_adc
 title: Citrix ADC
-version: "1.17.1"
+version: "1.17.2"
 description: This Elastic integration collects logs and metrics from Citrix ADC product.
 type: integration
 categories: