Citrix ADC Integration Grok Fix

packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc.log

@@ -14,3 +14,4 @@ Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : T
 Oct 6 14:03:30 <local0.info> 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1
 Oct 6 14:03:30 <local0.info> 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1
 Oct 6 14:03:30 <local0.info> 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1
+<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118

packages/citrix_adc/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.1"
+ changes:
+ - description: Timezone field made optional for the citrix_adc log messages
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/10778
 - version: "1.7.0"
  changes:
  - description: ECS version updated to 8.11.0. Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json

@@ -0,0 +1,14 @@
+{
+ "events": [
+ {
+ "@timestamp": "2024-08-10T09:38:41.000Z",
+ "message": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n"
+
+ },
+ {
+ "@timestamp": "2024-08-10T09:38:41.000Z",
+ "message": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n"
+
+ }
+ ]
+}

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-native.json-expected.json

@@ -0,0 +1,137 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2024-10-08T09:38:41.000Z",
+ "citrix": {
+ "cef_format": false,
+ "default_class": true,
+ "detail": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118",
+ "device_event_class_id": "TCP",
+ "extended": {
+ "message": "Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118"
+ },
+ "host": "SYSLOGHOST",
+ "name": "CONN_DELINK"
+ },
+ "citrix_adc": {
+ "log": {
+ "delink_time": "2024-10-08T09:38:41.000Z",
+ "destination": {
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "message": "Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118",
+ "nat": {
+ "ip": "192.168.10.10",
+ "port": 52187
+ },
+ "source": {
+ "ip": "127.1.2.1",
+ "port": 80
+ },
+ "total_bytes_received": 3118,
+ "total_bytes_send": 0,
+ "vserver": {
+ "ip": "81.2.69.144",
+ "port": 80
+ }
+ }
+ },
+ "destination": {
+ "bytes": 3118,
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "end": "2024-10-08T09:38:41.000Z",
+ "id": "6715345",
+ "original": "<131> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_DELINK 6715345 0 : Source 127.1.2.1:80 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/08/2024:09:38:41 - Total_bytes_send 0 - Total_bytes_recv 3118\n",
+ "severity": 0,
+ "timezone": "UTC",
+ "type": [
+ "end",
+ "connection"
+ ]
+ },
+ "observer": {
+ "product": "Netscaler",
+ "type": "firewall",
+ "vendor": "Citrix"
+ },
+ "related": {
+ "ip": [
+ "127.1.2.1",
+ "81.2.69.144",
+ "192.168.10.10"
+ ]
+ },
+ "server": {
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "source": {
+ "bytes": 0,
+ "ip": "127.1.2.1",
+ "nat": {
+ "ip": "192.168.10.10",
+ "port": 52187
+ },
+ "port": 80
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2024-10-08T09:38:41.000Z",
+ "citrix": {
+ "cef_format": false,
+ "default_class": true,
+ "detail": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 ",
+ "device_event_class_id": "TCP",
+ "extended": {
+ "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 "
+ },
+ "host": "SYSLOGHOST",
+ "name": "CONN_TERMINATE"
+ },
+ "citrix_adc": {
+ "log": {
+ "message": "Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 "
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "id": "6715345",
+ "original": "<123> 10/08/2024:09:38:41 SYSLOGHOST 0-PPE-1 : default TCP CONN_TERMINATE 6715345 0 : Source 127.1.2.1:80 - Destination 127.1.1.2:20714 - Start Time 10/08/2024:09:37:54 - End Time 10/08/2024:09:38:41 - Total_bytes_send 1 - Total_bytes_recv 1 \n",
+ "severity": 0,
+ "timezone": "UTC",
+ "type": [
+ "end",
+ "connection"
+ ]
+ },
+ "observer": {
+ "product": "Netscaler",
+ "type": "firewall",
+ "vendor": "Citrix"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json

@@ -1797,7 +1797,6 @@
  "preserve_duplicate_custom_fields"
  ],
  "url": {
- "extension": "com/page",
  "original": "www.example.com/page",
  "path": "www.example.com/page"
  }

packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml

@@ -13,7 +13,7 @@ processors:
  - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"'
  - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}'
  pattern_definitions:
- HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone} (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}'
+ HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone}? (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}'
  NATIVE_TIMESTAMP: '(?:%{MONTHNUM}/%{MONTHDAY}/%{YEAR}|%{YEAR}/%{MONTHNUM}/%{MONTHDAY}):%{HOUR}:%{MINUTE}:%{SECOND}'
  - grok:
  description: Parse out details.

packages/citrix_adc/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: citrix_adc
 title: Citrix ADC
-version: "1.7.0"
+version: "1.7.1"
 description: This Elastic integration collects logs and metrics from Citrix ADC product.
 type: integration
 categories: