Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.
Was the issue replicated by support?
the syslog parser app-almost-syslog-citrix_netscaler.conf is not capable to process CITRIX syslog events generated with the CITRIX latest version 14.1. that version generates RFC5424 compliant logs.
What is the sc4s version ?
3.37
Which operating system (including its version) are you using for hosting SC4S?
Red Hat Enterprise Linux release 8.10 (Ootpa)
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S?
podman
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
yes
single_packet.zip
Is the issue related to the environment of the customer or Software related issue?
no
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
no
Last chance index/Fallback index?
due to the wrong parsing the CITRIX events are sent to nix index with wrong sc4s tags
sc4s_tags | wireformat:rfc|wireformat:rfc5424|.app.app-fallback-nix_syslog|.source.s_DEFAULT |
sc4s_vendor | nix |
source | program:SSLLOG |
sourcetype | nix:syslog
Is the issue related to local customization?
no
Do we have all the default indexes created?
yes
Describe the bug
the current citrix parser present in SC4S does not support RFC5424 format used by the latest version of CITRIX 14.1
To Reproduce
Steps to reproduce the behavior:
- Configure a citrix ADC VM
- to have a working SC4S server
- configure syslog to use UDP/TCP and RFC5424 (only option available) to be sent to SC4S
- check logs in splunk
Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.
Was the issue replicated by support?
the syslog parser app-almost-syslog-citrix_netscaler.conf is not capable to process CITRIX syslog events generated with the CITRIX latest version 14.1. that version generates RFC5424 compliant logs.
What is the sc4s version ?
3.37
Which operating system (including its version) are you using for hosting SC4S?
Red Hat Enterprise Linux release 8.10 (Ootpa)
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S?
podman
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
yes
single_packet.zip
Is the issue related to the environment of the customer or Software related issue?
no
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
no
Last chance index/Fallback index?
due to the wrong parsing the CITRIX events are sent to nix index with wrong sc4s tags
sc4s_tags | wireformat:rfc|wireformat:rfc5424|.app.app-fallback-nix_syslog|.source.s_DEFAULT |
sc4s_vendor | nix |
source | program:SSLLOG |
sourcetype | nix:syslog
Is the issue related to local customization?
no
Do we have all the default indexes created?
yes
Describe the bug
the current citrix parser present in SC4S does not support RFC5424 format used by the latest version of CITRIX 14.1
To Reproduce
Steps to reproduce the behavior: