forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[citrix_adc] Handle time zone parsing in sslvpn_and_aaatm_feature pip…
…eline (elastic#10846) This has a few pipeline improvements * Fail if sslvpn_and_aaatm_feature message data cannot be parsed. If this data is not parsed, most data provided by this pipeline is silently not populated. So I think overall its better to fail, so that users and developers are more aware that there is an error. * Improve parsing of the message to handle optional space between username and group. Both formats have been observed. * Handle the presence of time zone in the message timestamp.
- Loading branch information
Showing
5 changed files
with
207 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -105,3 +105,5 @@ Jun 22 19:14:37 <local0.info> 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : S | |
Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command "scp file.txt" - Status "Success" | ||
Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 | ||
Oct 6 14:03:23 <local0.info> 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 | ||
Jun 22 19:14:37 <local0.info> 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - - | ||
Jun 22 19:14:37 <local0.info> 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8511,6 +8511,200 @@ | |
"query": "id=1234", | ||
"scheme": "https" | ||
} | ||
}, | ||
{ | ||
"@timestamp": "2015-06-22T19:14:37.000Z", | ||
"citrix": { | ||
"cef_format": false, | ||
"detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", | ||
"device_event_class_id": "SSLVPN", | ||
"extended": { | ||
"message": "Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -" | ||
}, | ||
"facility": "local0", | ||
"host": "ns", | ||
"name": "HTTPREQUEST", | ||
"priority": "info" | ||
}, | ||
"citrix_adc": { | ||
"log": { | ||
"client_ip": "81.2.69.145", | ||
"groups": "N/A", | ||
"hostname": "citrix.example.com", | ||
"message": "Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", | ||
"method": "POST", | ||
"request": { | ||
"path": "/Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre-" | ||
}, | ||
"session_id": "1756710", | ||
"sso_status": "ON", | ||
"timestamp": "2024-07-12T06:54:39.000Z", | ||
"user": "user.name", | ||
"username": "user.name", | ||
"vserver": { | ||
"ip": "81.2.69.143", | ||
"port": 443 | ||
} | ||
} | ||
}, | ||
"client": { | ||
"geo": { | ||
"city_name": "London", | ||
"continent_name": "Europe", | ||
"country_iso_code": "GB", | ||
"country_name": "United Kingdom", | ||
"location": { | ||
"lat": 51.5142, | ||
"lon": -0.0931 | ||
}, | ||
"region_iso_code": "GB-ENG", | ||
"region_name": "England" | ||
}, | ||
"ip": "81.2.69.145" | ||
}, | ||
"ecs": { | ||
"version": "8.11.0" | ||
}, | ||
"event": { | ||
"category": [ | ||
"authentication" | ||
], | ||
"id": "152923587", | ||
"original": "Jun 22 19:14:37 <local0.info> 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name: Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", | ||
"severity": 0, | ||
"timezone": "GMT", | ||
"type": [ | ||
"info" | ||
] | ||
}, | ||
"group": { | ||
"name": "N/A" | ||
}, | ||
"observer": { | ||
"product": "Netscaler", | ||
"type": "firewall", | ||
"vendor": "Citrix" | ||
}, | ||
"related": { | ||
"ip": [ | ||
"81.2.69.143", | ||
"81.2.69.145" | ||
], | ||
"user": [ | ||
"user.name" | ||
] | ||
}, | ||
"server": { | ||
"ip": "81.2.69.143", | ||
"port": 443 | ||
}, | ||
"tags": [ | ||
"preserve_original_event", | ||
"preserve_duplicate_custom_fields" | ||
], | ||
"url": { | ||
"domain": "citrix.example.com" | ||
}, | ||
"user": { | ||
"name": "user.name" | ||
} | ||
}, | ||
{ | ||
"@timestamp": "2015-06-22T19:14:37.000Z", | ||
"citrix": { | ||
"cef_format": false, | ||
"detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", | ||
"device_event_class_id": "SSLVPN", | ||
"extended": { | ||
"message": "Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -" | ||
}, | ||
"facility": "local0", | ||
"host": "ns", | ||
"name": "HTTPREQUEST", | ||
"priority": "info" | ||
}, | ||
"citrix_adc": { | ||
"log": { | ||
"client_ip": "81.2.69.145", | ||
"groups": "N/A", | ||
"hostname": "citrix.example.com", | ||
"message": "Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", | ||
"method": "POST", | ||
"request": { | ||
"path": "/Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre-" | ||
}, | ||
"session_id": "1756710", | ||
"sso_status": "ON", | ||
"timestamp": "2024-07-12T06:54:39.000Z", | ||
"user": "user.name", | ||
"username": "user.name", | ||
"vserver": { | ||
"ip": "81.2.69.143", | ||
"port": 443 | ||
} | ||
} | ||
}, | ||
"client": { | ||
"geo": { | ||
"city_name": "London", | ||
"continent_name": "Europe", | ||
"country_iso_code": "GB", | ||
"country_name": "United Kingdom", | ||
"location": { | ||
"lat": 51.5142, | ||
"lon": -0.0931 | ||
}, | ||
"region_iso_code": "GB-ENG", | ||
"region_name": "England" | ||
}, | ||
"ip": "81.2.69.145" | ||
}, | ||
"ecs": { | ||
"version": "8.11.0" | ||
}, | ||
"event": { | ||
"category": [ | ||
"authentication" | ||
], | ||
"id": "152923587", | ||
"original": "Jun 22 19:14:37 <local0.info> 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 152923587 0 : Context [email protected] - SessionId: 1756710 - citrix.example.com User user.name : Group(s) N/A : Vserver 81.2.69.143:443 - 07/12/2024:06:54:39 GMT : SSO is ON : POST /Citrix/RIM-StoreWeb/Resources/GetLaunchStatus/Q29udHJvbGx89fsj3k9Sf23mk0d9823uRDGre- - -", | ||
"severity": 0, | ||
"timezone": "GMT", | ||
"type": [ | ||
"info" | ||
] | ||
}, | ||
"group": { | ||
"name": "N/A" | ||
}, | ||
"observer": { | ||
"product": "Netscaler", | ||
"type": "firewall", | ||
"vendor": "Citrix" | ||
}, | ||
"related": { | ||
"ip": [ | ||
"81.2.69.143", | ||
"81.2.69.145" | ||
], | ||
"user": [ | ||
"user.name" | ||
] | ||
}, | ||
"server": { | ||
"ip": "81.2.69.143", | ||
"port": 443 | ||
}, | ||
"tags": [ | ||
"preserve_original_event", | ||
"preserve_duplicate_custom_fields" | ||
], | ||
"url": { | ||
"domain": "citrix.example.com" | ||
}, | ||
"user": { | ||
"name": "user.name" | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters