Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

does Log Server support Netscaler ?

https://support.nagios.com/forum/viewtopic.php?t=45463

Page 1 of 2

does Log Server support Netscaler ?

Posted: Wed Sep 06, 2017 3:58 pm
by gornm565
Does Nagios Log Server support Citrix Netscaler? Can it receive logs from it?
Thank you.

Re: does Log Server support Netscaler ?

Posted: Wed Sep 06, 2017 4:41 pm
by scottwilkerson
I'm not personally familiar with that software, but a quick google search I found this which are some looks like a filters you could add into Log Server and send the data via syslog input

https://gist.github.com/haukurk/95a7dad58ff475fbb987

Re: does Log Server support Netscaler ?

Posted: Mon Sep 18, 2017 3:02 pm
by gornm565
Where in the Nagios Log Server do I input this config to be able to index the Netscaler syslog output?

Re: does Log Server support Netscaler ?

Posted: Mon Sep 18, 2017 3:08 pm
by cdienger
Inputs and filters can be added under Administration > Global > Global Configuration > Add Inputs / Add Filter.

https://assets.nagios.com/downloads/nag ... ilters.pdf

Re: does Log Server support Netscaler ?

Posted: Mon Sep 18, 2017 3:43 pm
by gornm565
I am sending syslog from the Netscaler to the Nagios Log Server and NLS is successfully receiving the logs. However, the message part isn't being indexed. I tried adding the Filter using instructions above but I am getting an error: "There was an error in the configuration!" when I try to Verify Configuration. Any ideas on where to go from here?

Re: does Log Server support Netscaler ?

Posted: Mon Sep 18, 2017 4:03 pm
by gornm565
Here's a typical syslog message:

10.212.7.3 09/18/2017:19:56:27 GMT NYCTXPROD1 0-PPE-0 : default SSLVPN ICAEND_CONNSTAT 348417 0 : Source 244.71.101.34:57682 - Destination 10.222.7.154:2598 - username:domainname abusell:propriet.com - startTime "09/18/2017:19:33:33 GMT" - endTime "09/18/2017:19:56:27 GMT" - Duration 00:22:54 - Total_bytes_send 569291 - Total_bytes_recv 14979972 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 88ade3

How do I index it, so that the username, the source/destination IP address/port and timestamps are searchable?

Re: does Log Server support Netscaler ?

Posted: Mon Sep 18, 2017 4:50 pm
by cdienger
If there's a problem with the config, the verify will usually throw some detailed output usually complaining about missing something it expected. Can you provide a screenshot? I'd like to see this as well as the config which can be gathered by clicking the View button on the Global Configuration screen and selecting All Files Combined.

Re: does Log Server support Netscaler ?

Posted: Mon Sep 18, 2017 5:15 pm
by tacolover101
gornm565 wrote:Here's a typical syslog message:

10.212.7.3 09/18/2017:19:56:27 GMT NYCTXPROD1 0-PPE-0 : default SSLVPN ICAEND_CONNSTAT 348417 0 : Source 244.71.101.34:57682 - Destination 10.222.7.154:2598 - username:domainname abusell:propriet.com - startTime "09/18/2017:19:33:33 GMT" - endTime "09/18/2017:19:56:27 GMT" - Duration 00:22:54 - Total_bytes_send 569291 - Total_bytes_recv 14979972 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 88ade3

How do I index it, so that the username, the source/destination IP address/port and timestamps are searchable?
make a grok pattern to parse it. this tool is pretty handy to help verify - https://grokdebug.herokuapp.com/

Re: does Log Server support Netscaler ?

Posted: Tue Sep 19, 2017 10:40 am
by cdienger
Thanks for the link, tacolover101!

Re: does Log Server support Netscaler ?

Posted: Tue Sep 19, 2017 5:56 pm
by gornm565
View All Files Combined:

Code: Select all

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 19 Sep 2017 18:55:28 -0400
#

#
# Global inputs
#

input {
    syslog {
        type => 'syslog'
        port => 5544
    }
    tcp {
        type => 'eventlog'
        port => 3515
        codec => json {
            charset => 'CP1252'
        }
    }
    tcp {
        type => 'import_raw'
        tags => 'import_raw'
        port => 2056
    }
    tcp {
        type => 'import_json'
        tags => 'import_json'
        port => 2057
        codec => json
    }
    filter {
            grok {
                            break_on_match => true
                            match => [
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:vserver_ip}:%{POSINT:vserver_port} - %{DATA} %{IP:nat_ip}:%{POSINT:nat_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:DELINK_DATE}:%{TIME:DELINK_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:START_DATE}:%{TIME:START_TIME} GMT - %{DATA} %{DATE_US:END_DATE}:%{TIME:END_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:clientip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}",
                                    "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
                            ]
                    }
}

#
# Local inputs
#



#
# Global filters
#

filter {
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
     
    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
}

#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#
cdienger wrote:If there's a problem with the config, the verify will usually throw some detailed output usually complaining about missing something it expected. Can you provide a screenshot? I'd like to see this as well as the config which can be gathered by clicking the View button on the Global Configuration screen and selecting All Files Combined.
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited