does Log Server support Netscaler ?

[gornm565]

Does Nagios Log Server support Citrix Netscaler? Can it receive logs from it?
Thank you.

[scottwilkerson]

I'm not personally familiar with that software, but a quick google search I found this which are some looks like a filters you could add into Log Server and send the data via syslog input

https://gist.github.com/haukurk/95a7dad58ff475fbb987

[gornm565]

Where in the Nagios Log Server do I input this config to be able to index the Netscaler syslog output?

[cdienger]

Inputs and filters can be added under Administration > Global > Global Configuration > Add Inputs / Add Filter.

https://assets.nagios.com/downloads/nag ... ilters.pdf

[gornm565]

I am sending syslog from the Netscaler to the Nagios Log Server and NLS is successfully receiving the logs. However, the message part isn't being indexed. I tried adding the Filter using instructions above but I am getting an error: "There was an error in the configuration!" when I try to Verify Configuration. Any ideas on where to go from here?

[gornm565]

Here's a typical syslog message:

10.212.7.3 09/18/2017:19:56:27 GMT NYCTXPROD1 0-PPE-0 : default SSLVPN ICAEND_CONNSTAT 348417 0 : Source 244.71.101.34:57682 - Destination 10.222.7.154:2598 - username:domainname abusell:propriet.com - startTime "09/18/2017:19:33:33 GMT" - endTime "09/18/2017:19:56:27 GMT" - Duration 00:22:54 - Total_bytes_send 569291 - Total_bytes_recv 14979972 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 88ade3

How do I index it, so that the username, the source/destination IP address/port and timestamps are searchable?

[cdienger]

If there's a problem with the config, the verify will usually throw some detailed output usually complaining about missing something it expected. Can you provide a screenshot? I'd like to see this as well as the config which can be gathered by clicking the View button on the Global Configuration screen and selecting All Files Combined.

[tacolover101]

Here's a typical syslog message:

10.212.7.3 09/18/2017:19:56:27 GMT NYCTXPROD1 0-PPE-0 : default SSLVPN ICAEND_CONNSTAT 348417 0 : Source 244.71.101.34:57682 - Destination 10.222.7.154:2598 - username:domainname abusell:propriet.com - startTime "09/18/2017:19:33:33 GMT" - endTime "09/18/2017:19:56:27 GMT" - Duration 00:22:54 - Total_bytes_send 569291 - Total_bytes_recv 14979972 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 88ade3

How do I index it, so that the username, the source/destination IP address/port and timestamps are searchable?

make a grok pattern to parse it. this tool is pretty handy to help verify - https://grokdebug.herokuapp.com/

[cdienger]

Thanks for the link, tacolover101!

[gornm565]

View All Files Combined:

Code: Select all

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 19 Sep 2017 18:55:28 -0400
#

#
# Global inputs
#

input {
    syslog {
        type => 'syslog'
        port => 5544
    }
    tcp {
        type => 'eventlog'
        port => 3515
        codec => json {
            charset => 'CP1252'
        }
    }
    tcp {
        type => 'import_raw'
        tags => 'import_raw'
        port => 2056
    }
    tcp {
        type => 'import_json'
        tags => 'import_json'
        port => 2057
        codec => json
    }
    filter {
            grok {
                            break_on_match => true
                            match => [
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:vserver_ip}:%{POSINT:vserver_port} - %{DATA} %{IP:nat_ip}:%{POSINT:nat_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:DELINK_DATE}:%{TIME:DELINK_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:START_DATE}:%{TIME:START_TIME} GMT - %{DATA} %{DATE_US:END_DATE}:%{TIME:END_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:clientip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}",
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
                            ]
                    }
}

#
# Local inputs
#



#
# Global filters
#

filter {
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
     
    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
}

#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#

If there's a problem with the config, the verify will usually throw some detailed output usually complaining about missing something it expected. Can you provide a screenshot? I'd like to see this as well as the config which can be gathered by clicking the View button on the Global Configuration screen and selecting All Files Combined.