Citrix ADC Integration Grok Fix #10778
Conversation
andrewkroh added Integration:citrix_adc 
🚀 Benchmarks reportPackage |
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
interface | 5780.35 | 3861 | -1919.35 (-33.2%) | 💔 |
system | 6289.31 | 5319.15 | -970.16 (-15.43%) | 💔 |
To see the full report comment with /test benchmark fullreport
packages/citrix_adc/changelog.yml Outdated
| # newer versions go on top | ||
| - version: "1.7.1" | ||
| changes: | ||
| - description: Timezone field has been updated to optional in the native header Grok pattern. |
There was a problem hiding this comment.
| - description: Timezone field has been updated to optional in the native header Grok pattern. | |
| - description: Timezone field made optional for the citrix_adc log messages | |
| @Linu-Elias : There are couple more ingest pipeline as well in citrix_adc other than native.yml Tagging @elastic/security-external-integrations for review as well since they implemented the log part of the Citrix ADC. |
There was a problem hiding this comment.
@Linu-Elias Please check if we need the change on other ingest pipelines, otherwise looks good
| Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command "scp file.txt" - Status "Success" | ||
| Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 | ||
| Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 | ||
| <123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n |
There was a problem hiding this comment.
Should this have a terminal \n literal? That doesn't look right.
There was a problem hiding this comment.
There's a difference between this line and what are in the event.original samples from the user. The user's samples have an actual newline at the end of the event.original (encoded to "\n" in JSON). What's in in this .log file is a slash followed by an "n" to be literal. You can see that in the expected.json file where it contains "Total_bytes_recv 1 \\n" instead of "Total_bytes_recv 1 \n".
To match a test case to the user's samples, I think you will need to use the a .json test file instead of .log so that you can encode the newline into the message.
There was a problem hiding this comment.
@andrewkroh Thanks, I have now used a .json file intead of .log. In this context, the expected.json file contains "Total_bytes_recv 1 \n" intead of "Total_bytes_recv 1 \\n".
@ishleenk17 I don't think we need to change other ingest pipelines since they all are passing with this change. |
andrewkroh dismissed efd6’s stale review The requested change has been made. See #10778 (comment)
💚 Build Succeeded
History
|
|
| Package citrix_adc - 1.7.1 containing this change is available at https://epr.elastic.co/search?package=citrix_adc |
* grok pattern fix * description * added json log file * added in citrix-adc.log
* grok pattern fix * description * added json log file * added in citrix-adc.log
6 participants
Proposed commit message
SDH issue on Citrix-ADC logs not being ingested properly.
In
citrix_adc.logdatastream, the grok pattern has timezone which is not optional hence below log formats are failing<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \nFix -
%{WORD: event.timezone}optional in native.yaml fileChecklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
elastic-package test pipeline -v -gRelated issues
Closes #10782
Screenshots