diff --git a/packages/citrix_adc/changelog.yml b/packages/citrix_adc/changelog.yml index 341f75967a0..ff372a0217f 100644 --- a/packages/citrix_adc/changelog.yml +++ b/packages/citrix_adc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.5" + changes: + - description: Properly parse failed status conditions in sslvpn pipeline + type: bugfix + link: https://github.com/elastic/integrations/pull/15786 - version: "1.17.4" changes: - description: Generate processor tags and normalize error handler. diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log index 391d2f0eb17..63df33c33f5 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log @@ -3,3 +3,4 @@ <135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891628 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine <135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891629 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine <135> 10/03/2025:13:52:23 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 248708109 0 : CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS" - Client_security_check passed +<131> 10/16/2025:18:14:20 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 71780673 0 : CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS" - Client_security_check "Failed - User not allowed to login" diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json index 34789a90a0c..f773a5dcd85 100644 --- a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json @@ -463,6 +463,89 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "2025-10-16T18:14:20.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "<131> 10/16/2025:18:14:20 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 71780673 0 : CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"" + }, + "host": "PRODSYST001", + "name": "CLISEC_CHECK" + }, + "citrix_adc": { + "log": { + "client_ip": "192.0.2.0", + "client_security_check_status": "Failed - User not allowed to login", + "client_security_expression": "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS", + "message": "CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"", + "vserver": { + "ip": "198.51.100.2", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 64500, + "organization": { + "name": "Documentation ASN" + } + }, + "geo": { + "city_name": "Las Vegas", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 36.17497, + "lon": -115.13722 + }, + "region_iso_code": "US-NV", + "region_name": "Nevada" + }, + "ip": "192.0.2.0" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "71780673", + "kind": "event", + "original": "<131> 10/16/2025:18:14:20 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 71780673 0 : CaseID: 847e8 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check \"Failed - User not allowed to login\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "hostname": "PRODSYST001", + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "198.51.100.2", + "192.0.2.0" + ] + }, + "server": { + "ip": "198.51.100.2", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml index c48b906474b..61ccccbe184 100644 --- a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml @@ -121,7 +121,7 @@ processors: field: citrix.extended.message patterns: - '^%{WORD:citrix_adc.log.alert_type} ?: %{WORD:citrix_adc.log.alert_level} - ClientIP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression "%{DATA:citrix_adc.log.client_security_expression}" - ?$' - - "^CaseID: %{WORD} - Client IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression \"%{GREEDYDATA:citrix_adc.log.client_security_expression}\" - Client_security_check %{WORD:citrix_adc.log.client_security_check_status}$" + - '^CaseID: %{WORD} - Client IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression "%{GREEDYDATA:citrix_adc.log.client_security_expression}" - Client_security_check (?:"%{GREEDYDATA:citrix_adc.log.client_security_check_status}"|%{WORD:citrix_adc.log.client_security_check_status})$' - grok: tag: grok_sslvpn_sta_validate_resp diff --git a/packages/citrix_adc/manifest.yml b/packages/citrix_adc/manifest.yml index 9ee8d2f1a72..12ea122425d 100644 --- a/packages/citrix_adc/manifest.yml +++ b/packages/citrix_adc/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: citrix_adc title: Citrix ADC -version: "1.17.4" +version: "1.17.5" description: This Elastic integration collects logs and metrics from Citrix ADC product. type: integration categories: