Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎07-22-2024 12:45 AM Edited on ‎07-22-2024 12:55 AM

Citrix Netscaler Parser

Does anyone parser user information in Netscaler parser, especially login/off information is needed, but logout user and duration information does not come in the default parser.

991
0 Kudos
24 REPLIES 24
Rob_SIEM
Staff
Staff

Created on ‎07-23-2024 03:34 PM

Hi Adem,

 

I was able to find the issues with parsing of this event:

Issue #1:
durationMSec accepts only a uint of duration in milliseconds. The field in the log is in the format HH:mm:dd.
So we must parse to a temp variable, and set according to format by converting
 
Issue #2: Under the parsing for SSLVPN_LOGOUT, there was a regex case mismatch for Total_compressedBytes_send and recv. The "Bytes" should be lowercased to "bytes".
 
 
Other issues:
Vserver was parsed to the wrong attribute. Recommend destIpAddr / destIpPort instead of host

 

Try this one out. We'll push the fix out via content update soon, however, you can use this custom parser in the interim.

 

1) Disable system CitrixNetScalerParser

2) Clone the CitrixNetScalerParser - name it _custom

3) Paste the contents of the parser attached

4) Reformate -> Validate -> Test

5) Click Back -> Enable -> Save

6) At top of parser page, click Apply -> Apply All

7) Wait about a minute for the parser change to be pushed to all collectors, new events should be parsed correctly for the given events.

CitrixNetScalerParser_Custom.zip
379
0 Kudos
adem_netsys
Contributor
In response to Rob_SIEM

Created on ‎07-24-2024 12:00 AM Edited on ‎07-24-2024 02:52 AM

Hi @Rob_SIEM 

 

Firstly thank you for your interest.I tried but this time I got an error for line 185. How did you assign the _duration variable to a display and value?

366
0 Kudos
Rob_SIEM
Staff
Staff
In response to adem_netsys

Created on ‎07-24-2024 09:22 AM

What version of FSM are you on? The parser attached works in the latest version, and test is successful for the sample event you provided.

 

Regarding _duration. We set the Duration section of the log to a temp var _duration because it is in the string format hh:mm:ss e.g. 00:20:38. The FortiSIEM attribute durationMSec cannot be set directly, because it expects an integer of milliseconds.

 

The section at the bottom of the parser, parses the 00:00:00 and turns it into milliseconds

 

when test="exist _duration">
<switch>
<!-- duration givin in format: Duration 00:20:38 -->
<case>
<collectAndSetAttrByRegex src="$_duration">
<regex><![CDATA[^<_hours:gPatInt>:<_min:gPatInt>:<_sec:gPatInt>$]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="_durationSec">0</setEventAttribute>
<choose>
<when test="not_exist _hours"/>
<when test="not_exist _min"/>
<when test="not_exist _sec"/>
<otherwise>
<when test="$_hours != '00'">
<setEventAttribute attr="_hourToSec">scale($_hours, 3600)</setEventAttribute>
<setEventAttribute attr="_durationSec">add($_durationSec, $_hourToSec)</setEventAttribute>
</when>
<when test="$_min != '00'">
<setEventAttribute attr="_minToSec">scale($_min, 60)</setEventAttribute>
<setEventAttribute attr="_durationSec">add($_durationSec, $_minToSec)</setEventAttribute>
</when>
<when test="$_sec != '00'">
<setEventAttribute attr="_durationSec">add($_durationSec, $_sec)</setEventAttribute>
</when>
<!-- finally, scale to milliseconds -->
<setEventAttribute attr="durationMSec">scale($_durationSec, 1000)</setEventAttribute>
</otherwise>
</choose>
</case>
<default/>
</switch>
</when>

Thanks,

 

-Rob

356
0 Kudos
adem_netsys
Contributor
In response to Rob_SIEM

Created on ‎07-24-2024 09:43 AM

@Rob_SIEM 

 

Our SIEM version is 7.2.0. I think you assigned an attribute named _duration, does its display value have any importance?

354
0 Kudos
Rob_SIEM
Staff
Staff
In response to adem_netsys

Created on ‎07-24-2024 10:30 AM

Any temp var such as _someVar does not show up in the parsed fields, they are merely temporary values.

 

This is the resulting value: 

<setEventAttribute attr="durationMSec">scale($_durationSec, 1000)</setEventAttribute>

 The display name of the attribute durationMSec is "Duration" in the GUI, and it is not displayed into another format just duration in milliseconds as a number of the session that logged off.

 

I'll try to test this parser on 7.2.0 today. 

 

Thanks,

 

-Rob

351
0 Kudos
Rob_SIEM
Staff
Staff
In response to Rob_SIEM

Created on ‎07-24-2024 10:45 AM Edited on ‎07-24-2024 10:46 AM

I tested successfully in 7.2.0 FSM as well for the sample event provided.

 

When you cloned the system citrix parser, did you delete the entire parser logic, and paste in the entire parser file attached above? I used the same file contents in my test.

 

Then do validate -> test -> Back ->Enable -> Apply 

 

If you still have issues, I'd suggest opening a TAC case and they can walk you through applying.

 

Thanks,

333
0 Kudos
adem_netsys
Contributor
In response to Rob_SIEM

Created on ‎07-24-2024 10:51 AM Edited on ‎07-24-2024 10:52 AM

Yes i did. What are the attributes you created in the parser, I am currently using the default ones. I can add them and try. Also, what is the sample log you are using?

330
0 Kudos
Rob_SIEM
Staff
Staff
In response to adem_netsys

Created on ‎07-24-2024 10:55 AM

All attributes used in the parser are default system attributes in 7.2.x of FortiSIEM. 

 

The sample log used was the one you provided here:

<134> 07/22/2024:07:47:27 GMT VNS01 0-PPE-0 : default SSLVPN LOGOUT 240699 0 : Context userroot@2.2.2.2 - SessionId: 1000 - User userroot - Client_ip 2.2.2.2 - Nat_ip "Mapped Ip" - Vserver 2.1.1.1:443 - Start_time "07/22/2024:07:26:49 GMT" - End_time "07/22/2024:07:47:27 GMT" - Duration 00:20:38 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 17 - Total_UDP_flows 0 - Total_policies_allowed 17 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 9665 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "Explicit" - Group(s) "N/A"

 

There were already 10 test events in the cloned parser, so you'll have to delete one to add this one. 

329
0 Kudos
adem_netsys
Contributor
In response to Rob_SIEM

Created on ‎07-24-2024 01:01 PM

As I said, when I encounter a different log, I get an error in this parser. I forward the example.

 

<134> 07/24/2024:10:06:20 GMT VNS01 0-PPE-0 : default SSLVPN LOGOUT 373093 0 : Context SIEM_B@192.168.15.19 - SessionId: 1632 - User SIEM_B - Client_ip 192.168.15.19 - Nat_ip "Mapped Ip" - Vserver 10.80.100.3:443 - Start_time "07/24/2024:09:31:14 GMT" - End_time "07/24/2024:10:06:20 GMT" - Duration 00:35:06 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 13 - Total_UDP_flows 0 - Total_policies_allowed 13 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 81696 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "N/A"

307
0 Kudos
Rob_SIEM
Staff
Staff
In response to adem_netsys

Created on ‎07-24-2024 01:34 PM

This log you attached parses perfectly fine with the attached parser. Perhaps there is some issue with the changes not taking effect. Please open a TAC case so we can see the issue directly.

 

In the TAC case, please export all the Citrix logs to CSV format from the analytics tab, and upload to the case. 

 

We can schedule a meeting to look at your system live.

 

Thanks,

 

 

301
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.