Skip to content

Commit cbe3223

Browse files
mjwolfmjwolf
authored
[citrix_adc] Handled failed status in sslvpn pipeline (#15786)
Correct the sslvpn ingest pipeline to properly handle events where the event contains a failed status. Previously, the pipeline was expecting a single word, which is used for "Passed" status, but failed status has multiple words, to explain the problem. The pipeline will now handle multi-word status.
1 parent ab7dba9 commit cbe3223

File tree

5 files changed

+91
-2
lines changed

5 files changed

+91
-2
lines changed

packages/citrix_adc/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.17.5"
3+
changes:
4+
- description: Properly parse failed status conditions in sslvpn pipeline
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/15786
27
- version: "1.17.4"
38
changes:
49
- description: Generate processor tags and normalize error handler.

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@
33
<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891628 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine
44
<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891629 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine
55
<135> 10/03/2025:13:52:23 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 248708109 0 : CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS" - Client_security_check passed
6+
<131> 10/16/2025:18:14:20 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 71780673 0 : CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS" - Client_security_check "Failed - User not allowed to login"

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -463,6 +463,89 @@
463463
"preserve_original_event",
464464
"preserve_duplicate_custom_fields"
465465
]
466+
},
467+
{
468+
"@timestamp": "2025-10-16T18:14:20.000Z",
469+
"citrix": {
470+
"cef_format": false,
471+
"default_class": true,
472+
"detail": "<131> 10/16/2025:18:14:20 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 71780673 0 : CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"",
473+
"device_event_class_id": "SSLVPN",
474+
"extended": {
475+
"message": "CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\""
476+
},
477+
"host": "PRODSYST001",
478+
"name": "CLISEC_CHECK"
479+
},
480+
"citrix_adc": {
481+
"log": {
482+
"client_ip": "192.0.2.0",
483+
"client_security_check_status": "Failed - User not allowed to login",
484+
"client_security_expression": "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS",
485+
"message": "CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"",
486+
"vserver": {
487+
"ip": "198.51.100.2",
488+
"port": 443
489+
}
490+
}
491+
},
492+
"client": {
493+
"as": {
494+
"number": 64500,
495+
"organization": {
496+
"name": "Documentation ASN"
497+
}
498+
},
499+
"geo": {
500+
"city_name": "Las Vegas",
501+
"continent_name": "North America",
502+
"country_iso_code": "US",
503+
"country_name": "United States",
504+
"location": {
505+
"lat": 36.17497,
506+
"lon": -115.13722
507+
},
508+
"region_iso_code": "US-NV",
509+
"region_name": "Nevada"
510+
},
511+
"ip": "192.0.2.0"
512+
},
513+
"ecs": {
514+
"version": "8.11.0"
515+
},
516+
"event": {
517+
"category": [
518+
"authentication"
519+
],
520+
"id": "71780673",
521+
"kind": "event",
522+
"original": "<131> 10/16/2025:18:14:20 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 71780673 0 : CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"",
523+
"severity": 0,
524+
"timezone": "GMT",
525+
"type": [
526+
"info"
527+
]
528+
},
529+
"observer": {
530+
"hostname": "PRODSYST001",
531+
"product": "Netscaler",
532+
"type": "firewall",
533+
"vendor": "Citrix"
534+
},
535+
"related": {
536+
"ip": [
537+
"198.51.100.2",
538+
"192.0.2.0"
539+
]
540+
},
541+
"server": {
542+
"ip": "198.51.100.2",
543+
"port": 443
544+
},
545+
"tags": [
546+
"preserve_original_event",
547+
"preserve_duplicate_custom_fields"
548+
]
466549
}
467550
]
468551
}

packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ processors:
121121
field: citrix.extended.message
122122
patterns:
123123
- '^%{WORD:citrix_adc.log.alert_type} ?: %{WORD:citrix_adc.log.alert_level} - ClientIP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression "%{DATA:citrix_adc.log.client_security_expression}" - ?$'
124-
- "^CaseID: %{WORD} - Client IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression \"%{GREEDYDATA:citrix_adc.log.client_security_expression}\" - Client_security_check %{WORD:citrix_adc.log.client_security_check_status}$"
124+
- '^CaseID: %{WORD} - Client IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression "%{GREEDYDATA:citrix_adc.log.client_security_expression}" - Client_security_check (?:"%{GREEDYDATA:citrix_adc.log.client_security_check_status}"|%{WORD:citrix_adc.log.client_security_check_status})$'
125125

126126
- grok:
127127
tag: grok_sslvpn_sta_validate_resp

packages/citrix_adc/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
format_version: "3.0.2"
22
name: citrix_adc
33
title: Citrix ADC
4-
version: "1.17.4"
4+
version: "1.17.5"
55
description: This Elastic integration collects logs and metrics from Citrix ADC product.
66
type: integration
77
categories:

0 commit comments

Comments
 (0)