Does anyone parser user information in Netscaler parser, especially login/off information is needed, but logout user and duration information does not come in the default parser.
Hi Adem,
I was able to find the issues with parsing of this event:
Try this one out. We'll push the fix out via content update soon, however, you can use this custom parser in the interim.
1) Disable system CitrixNetScalerParser
2) Clone the CitrixNetScalerParser - name it _custom
3) Paste the contents of the parser attached
4) Reformate -> Validate -> Test
5) Click Back -> Enable -> Save
6) At top of parser page, click Apply -> Apply All
7) Wait about a minute for the parser change to be pushed to all collectors, new events should be parsed correctly for the given events.
Created on 07-24-2024 12:00 AM Edited on 07-24-2024 02:52 AM
Hi @Rob_SIEM
Firstly thank you for your interest.I tried but this time I got an error for line 185. How did you assign the _duration variable to a display and value?
What version of FSM are you on? The parser attached works in the latest version, and test is successful for the sample event you provided.
Regarding _duration. We set the Duration section of the log to a temp var _duration because it is in the string format hh:mm:ss e.g. 00:20:38. The FortiSIEM attribute durationMSec cannot be set directly, because it expects an integer of milliseconds.
The section at the bottom of the parser, parses the 00:00:00 and turns it into milliseconds
when test="exist _duration">
<switch>
<!-- duration givin in format: Duration 00:20:38 -->
<case>
<collectAndSetAttrByRegex src="$_duration">
<regex><![CDATA[^<_hours:gPatInt>:<_min:gPatInt>:<_sec:gPatInt>$]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="_durationSec">0</setEventAttribute>
<choose>
<when test="not_exist _hours"/>
<when test="not_exist _min"/>
<when test="not_exist _sec"/>
<otherwise>
<when test="$_hours != '00'">
<setEventAttribute attr="_hourToSec">scale($_hours, 3600)</setEventAttribute>
<setEventAttribute attr="_durationSec">add($_durationSec, $_hourToSec)</setEventAttribute>
</when>
<when test="$_min != '00'">
<setEventAttribute attr="_minToSec">scale($_min, 60)</setEventAttribute>
<setEventAttribute attr="_durationSec">add($_durationSec, $_minToSec)</setEventAttribute>
</when>
<when test="$_sec != '00'">
<setEventAttribute attr="_durationSec">add($_durationSec, $_sec)</setEventAttribute>
</when>
<!-- finally, scale to milliseconds -->
<setEventAttribute attr="durationMSec">scale($_durationSec, 1000)</setEventAttribute>
</otherwise>
</choose>
</case>
<default/>
</switch>
</when>
Thanks,
-Rob
Our SIEM version is 7.2.0. I think you assigned an attribute named _duration, does its display value have any importance?
Any temp var such as _someVar does not show up in the parsed fields, they are merely temporary values.
This is the resulting value:
<setEventAttribute attr="durationMSec">scale($_durationSec, 1000)</setEventAttribute>
The display name of the attribute durationMSec is "Duration" in the GUI, and it is not displayed into another format just duration in milliseconds as a number of the session that logged off.
I'll try to test this parser on 7.2.0 today.
Thanks,
-Rob
Created on 07-24-2024 10:45 AM Edited on 07-24-2024 10:46 AM
I tested successfully in 7.2.0 FSM as well for the sample event provided.
When you cloned the system citrix parser, did you delete the entire parser logic, and paste in the entire parser file attached above? I used the same file contents in my test.
Then do validate -> test -> Back ->Enable -> Apply
If you still have issues, I'd suggest opening a TAC case and they can walk you through applying.
Thanks,
Created on 07-24-2024 10:51 AM Edited on 07-24-2024 10:52 AM
Yes i did. What are the attributes you created in the parser, I am currently using the default ones. I can add them and try. Also, what is the sample log you are using?
All attributes used in the parser are default system attributes in 7.2.x of FortiSIEM.
The sample log used was the one you provided here:
<134> 07/22/2024:07:47:27 GMT VNS01 0-PPE-0 : default SSLVPN LOGOUT 240699 0 : Context userroot@2.2.2.2 - SessionId: 1000 - User userroot - Client_ip 2.2.2.2 - Nat_ip "Mapped Ip" - Vserver 2.1.1.1:443 - Start_time "07/22/2024:07:26:49 GMT" - End_time "07/22/2024:07:47:27 GMT" - Duration 00:20:38 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 17 - Total_UDP_flows 0 - Total_policies_allowed 17 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 9665 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "Explicit" - Group(s) "N/A"
There were already 10 test events in the cloned parser, so you'll have to delete one to add this one.
As I said, when I encounter a different log, I get an error in this parser. I forward the example.
<134> 07/24/2024:10:06:20 GMT VNS01 0-PPE-0 : default SSLVPN LOGOUT 373093 0 : Context SIEM_B@192.168.15.19 - SessionId: 1632 - User SIEM_B - Client_ip 192.168.15.19 - Nat_ip "Mapped Ip" - Vserver 10.80.100.3:443 - Start_time "07/24/2024:09:31:14 GMT" - End_time "07/24/2024:10:06:20 GMT" - Duration 00:35:06 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 13 - Total_UDP_flows 0 - Total_policies_allowed 13 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 81696 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "N/A"
This log you attached parses perfectly fine with the attached parser. Perhaps there is some issue with the changes not taking effect. Please open a TAC case so we can see the issue directly.
In the TAC case, please export all the Citrix logs to CSV format from the analytics tab, and upload to the case.
We can schedule a meeting to look at your system live.
Thanks,
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.