I am using the Splunk for Citrix NetScaler app, with somewhat mixed success. It seems that Citrix has changed some of their message formats over the versions. While I'm monitoring a NetScaler version that the Splunk app nominally supports, it mis-parses some of the messages.
I've tried to disable the transform that is mis-parsing the messages, and replace it with ones that match the messages, but the old one is still being used.
The app comes with a default transform for app firewall log messages. From splunk/etc/apps/SplunkforCitrixNetScaler/default/transforms.conf:
[ns_firewall_extract]
REGEX = APPFW\sAPPFW_(\S+)\s\d+\s+:\s+(\S+)\s(\S+)\s(\S+)\s(\S+)\s(.*)<(.*)\>
FORMAT = violation::$1 src_ip::$2 session_id::$3 profile::$4 url::$5 msg::$6 action::$7
I've written two transforms that match what the NetScaler is actually sending, and disabled the non-functioning one. From splunk/etc/apps/SplunkforCitrixNetScaler/local/transforms.conf:
[ns_firewall_extract]
disabled = 1
FORMAT = violation::$1 src_ip::$2 session_id::$3 profile::$4 url::$5 msg::$6 action::$7
REGEX = APPFW\sAPPFW_(\S+)\s\d+\s+:\s+(\S+)\s(\S+)\s(\S+)\s(\S+)\s(.*)<(.*)\>
[ns_firewall_extract_1]
CLEAN_KEYS = 1
FORMAT = violation::$1 src_ip::$2 profile::$3 msg::$4 url::$5 action::$6
MV_ADD = 0
REGEX = APPFW\sAPPFW_(STARTURL|DENYURL|BUFFEROVERFLOW_URL|BUFFEROVERFLOW_COOKIE|BUFFEROVERFLOW_HDR)\s\d+\s+:\s+(\S+)\s(\S+)\s(\.*):\s(.*)\s<(.*)\>
[ns_firewall_extract_2]
CLEAN_KEYS = 1
FORMAT = violation::$1 src_ip::$2 profile::$3 url::$4 msg::$5 action::$6
MV_ADD = 0
REGEX = APPFW\sAPPFW_(XSS|SQL|COOKIE|FIELDFORMAT|SAFECOMMERCE|SAFEOBJECT)\s\d+\s+\:\s+(S+)\s(S+)\s(\S+)\s(.*)<(.*)\>
And yet the messages are still being parsed into fields using the old definitions, that don't match our NetScaler version.
In case it's relevant, I haven't been editing the .conf files directly, but only through the web GUI.
You are editing the configuration file "transforms.conf". I think you also need to edit the configuration file "props.conf". The stanza [ns_firewall_extract_1] or [ns_firewall_extract_2] are required to combine to the attribute in props.conf.
You are editing the configuration file "transforms.conf". I think you also need to edit the configuration file "props.conf". The stanza [ns_firewall_extract_1] or [ns_firewall_extract_2] are required to combine to the attribute in props.conf.
Thank you, that fixed the problem I was having!
It also highlighted that I'm out of practice at regexes - I had to fix about three errors in those two small regexes...
Incidentally, I had to edit the file manually - when I tried to change the entry in props.conf using the GUI (Manager - Fields - Field Extractions) I got an error message every time I tried to save the changes. I got the same error message if I tried to save the existing configuration without changes. I'm not sure what that implies...