Skip to content

Release v3.35.1 #2739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ajasnosz wants to merge 26 commits into from
Closed

Release v3.35.1 #2739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
3c6d8f3
docs: Updating the vendor documentation with the correct port number …
cwadhwani-splunk Jan 16, 2025
78bb3e5
feat: Add a health check endpoint (#2670)
mstopa-splunk Jan 16, 2025
0492dcf
docs: Updated the dead links on create-parser page (#2665)
cwadhwani-splunk Jan 16, 2025
334f2f0
chore(deps): update splunk/addonfactory-test-matrix-action action to …
renovate[bot] Jan 16, 2025
623cea7
docs: add "Architecture and Load Balancers" (#2574)
mstopa-splunk Jan 16, 2025
be77057
fix: CVE (#2660)
ikheifets-splunk Jan 16, 2025
5797cc0
docs: update NGINX health_check command usage
mstopa-splunk Jan 17, 2025
df0f0ff
docs: update NGINX health_check command usage
mstopa-splunk Jan 17, 2025
61c7061
fix: poetry export after 2.0 (#2678)
ikheifets-splunk Jan 20, 2025
5703173
fix: rebuild docker image after alpine security fixes (#2687)
ikheifets-splunk Jan 30, 2025
364550b
Merge branch 'main' into develop
sbylica-splunk Feb 3, 2025
bf1eba8
docs: Describe load balancing with F5 (#2677)
mstopa-splunk Feb 10, 2025
6c52c7d
fix: resolve sonarqube reported issues (#2690)
sbylica-splunk Feb 25, 2025
7daf590
Changed rhel version in docs (#2699)
sbylica-splunk Feb 27, 2025
ac00225
Added support for multiple destinations in healthcheck (#2704)
sbylica-splunk Mar 11, 2025
fce2007
docs: remove experimental status for EP (#2714)
ikheifets-splunk Mar 20, 2025
0998d28
docs: Updated the splunk add-on link in the panos documentation (#2695)
cwadhwani-splunk Apr 2, 2025
124804b
feat: Added support for vectra json logs (#2694)
cwadhwani-splunk Apr 2, 2025
97587da
chore: add netapp tests (#2705)
ajasnosz Apr 4, 2025
8773f38
Merge branch 'main' into develop
cwadhwani-splunk Apr 8, 2025
f3c103c
fix: vuln fix alpine (#2726)
rjha-splunk Apr 9, 2025
729f2cd
fix: Added a couple of parsers in the enterprise version. (#2734)
cwadhwani-splunk Apr 9, 2025
8e9240c
fix: Added a couple of parsers in the enterprise version. (#2734)
cwadhwani-splunk Apr 9, 2025
b375da9
fix: update citrix netscaler date parser (#2735)
ajasnosz Apr 14, 2025
80fb1ad
docs: Updated the sourcetype in the documentation of isc_dhcpd (#2698)
cwadhwani-splunk Apr 18, 2025
c2aa1b1
Merge branch 'main' into develop
ajasnosz Apr 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 20 additions & 14 deletions docs/sources/vendor/Citrix/netscaler.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,33 @@

## Links

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | <https://splunkbase.splunk.com/app/2770/> |
| Ref | Link |
|----------------|-----------------------------------------------------------------------------------------------------|
| Splunk Add-on | <https://splunkbase.splunk.com/app/2770/> |
| Product Manual | <https://docs.citrix.com/en-us/citrix-adc/12-1/system/audit-logging/configuring-audit-logging.html> |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| citrix:netscaler:syslog | None |
| citrix:netscaler:appfw | None |
| citrix:netscaler:appfw:cef | None |
| sourcetype | notes |
|----------------------------|-------|
| citrix:netscaler:syslog | None |
| citrix:netscaler:appfw | None |
| citrix:netscaler:appfw:cef | None |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| citrix_netscaler | citrix:netscaler:syslog | netfw | none |
| citrix_netscaler | citrix:netscaler:appfw | netfw | none |
| citrix_netscaler | citrix:netscaler:appfw:cef | netfw | none |
| key | sourcetype | index | notes |
|------------------|----------------------------|-------|-------|
| citrix_netscaler | citrix:netscaler:syslog | netfw | none |
| citrix_netscaler | citrix:netscaler:appfw | netfw | none |
| citrix_netscaler | citrix:netscaler:appfw:cef | netfw | none |

## Source Setup and Configuration

* Follow vendor configuration steps per Product Manual above. Ensure the data format selected is "DDMMYYYY"
* Follow vendor configuration steps per Product Manual above.

## Options

| Variable | default | description |
|--------------------------------------------|--------------|-----------------------------------------------------------------------------------------------|
| `SC4S_IGNORE_MMDD_LEGACY_CITRIX_NETSCALER` | empty string | (empty/yes) Set to "yes" for parsing the date in format `dd/mm/yyyy` instead of `mm/dd/yyyy`. |
6 changes: 3 additions & 3 deletions docs/sources/vendor/ISC/dhcpd.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,13 @@ see that source documentation for instructions

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| isc:dhcp | none |
| isc:dhcpd | none |

### Index Configuration

| key | index | notes |
|----------------|------------|----------------|
| isc_dhcp | isc:dhcp | none |
| isc_dhcpd | netipam | none |

### Filter type

Expand All @@ -42,5 +42,5 @@ An active site will generate frequent events use the following search to check f
Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype=isc:dhcp")
index=<asconfigured> (sourcetype=isc:dhcpd")
```
7 changes: 4 additions & 3 deletions package/enterprise/etc/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ block parser app-almost-syslog-citrix_netscaler() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('^(?<pri>\<\d+>) (?<timestamp>(?<tspart1>\d\d)\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d ?(?<tz>\w+))? (?<host>[^ ]+) (?<message>[A-Z\-0-9]+ : .*)')
patterns('^(?<pri>\<\d+\>) (?<timestamp>(?<tspart1>\d\d)\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d ?(?<tz>\w+))? (?<host>[^ ]+) (?<message>[A-Z\-0-9]+ : .*)')
);
};
parser {
Expand All @@ -19,11 +19,12 @@ block parser app-almost-syslog-citrix_netscaler() {
);
};


if {
filter { "${.tmp.tspart1}" eq "$R_DAY"};
filter { "`SC4S_IGNORE_MMDD_LEGACY_CITRIX_NETSCALER`" eq "yes" or "${.tmp.tspart1}" eq "${DAY}"};
parser {
date-parser-nofilter(
format('%d/%m/%Y:%H:%M:%S %z','%d/%m/%Y:%H:%M:%S')
format('%d/%m/%Y:%H:%M:%S %z','%d/%m/%Y:%H:%M:%S','%d/%m/%Y:%H:%M:%S %Z')
template("${.tmp.timestamp}")
);
};
Expand Down
7 changes: 4 additions & 3 deletions package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ block parser app-almost-syslog-citrix_netscaler() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('^(?<pri>\<\d+>) (?<timestamp>(?<tspart1>\d\d)\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d ?(?<tz>\w+))? (?<host>[^ ]+) (?<message>[A-Z\-0-9]+ : .*)')
patterns('^(?<pri>\<\d+\>) (?<timestamp>(?<tspart1>\d\d)\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d ?(?<tz>\w+))? (?<host>[^ ]+) (?<message>[A-Z\-0-9]+ : .*)')
);
};
parser {
Expand All @@ -19,11 +19,12 @@ block parser app-almost-syslog-citrix_netscaler() {
);
};


if {
filter { "${.tmp.tspart1}" eq "$R_DAY"};
filter { "`SC4S_IGNORE_MMDD_LEGACY_CITRIX_NETSCALER`" eq "yes" or "${.tmp.tspart1}" eq "${DAY}"};
parser {
date-parser-nofilter(
format('%d/%m/%Y:%H:%M:%S %z','%d/%m/%Y:%H:%M:%S')
format('%d/%m/%Y:%H:%M:%S %z','%d/%m/%Y:%H:%M:%S','%d/%m/%Y:%H:%M:%S %Z')
template("${.tmp.timestamp}")
);
};
Expand Down
7 changes: 4 additions & 3 deletions package/lite/etc/addons/citrix/app-almost-syslog-citrix_netscaler.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ block parser app-almost-syslog-citrix_netscaler() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('^(?<pri>\<\d+>) (?<timestamp>(?<tspart1>\d\d)\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d ?(?<tz>\w+))? (?<host>[^ ]+) (?<message>[A-Z\-0-9]+ : .*)')
patterns('^(?<pri>\<\d+\>) (?<timestamp>(?<tspart1>\d\d)\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d ?(?<tz>\w+))? (?<host>[^ ]+) (?<message>[A-Z\-0-9]+ : .*)')
);
};
parser {
Expand All @@ -19,11 +19,12 @@ block parser app-almost-syslog-citrix_netscaler() {
);
};


if {
filter { "${.tmp.tspart1}" eq "$R_DAY"};
filter { "`SC4S_IGNORE_MMDD_LEGACY_CITRIX_NETSCALER`" eq "yes" or "${.tmp.tspart1}" eq "${DAY}"};
parser {
date-parser-nofilter(
format('%d/%m/%Y:%H:%M:%S %z','%d/%m/%Y:%H:%M:%S')
format('%d/%m/%Y:%H:%M:%S %z','%d/%m/%Y:%H:%M:%S','%d/%m/%Y:%H:%M:%S %Z')
template("${.tmp.timestamp}")
);
};
Expand Down
48 changes: 47 additions & 1 deletion tests/test_citrix_netscaler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@
# license that can be found in the LICENSE-BSD2 file or at
# https://opensource.org/licenses/BSD-2-Clause
import datetime
import os
from unittest.mock import patch

import shortuuid
import pytz
import pytest
Expand All @@ -28,7 +31,7 @@ def test_citrix_netscaler(record_property, setup_splunk, setup_sc4s, get_pid):
_, bsd, time, _, _, tzname, epoch = time_operations(dt)

# Tune time functions
time = dt.strftime("%d/%m/%Y:%H:%M:%S")
time = dt.strftime("%m/%d/%Y:%H:%M:%S")
epoch = epoch[:-7]

mt = env.from_string(
Expand Down Expand Up @@ -91,6 +94,49 @@ def test_citrix_netscaler_sdx(

assert result_count == 1

# <134> 05/08/2025:03:13:15 GMT DC-NS02 0-PPE-0 : default TCP CONN_TERMINATE 1874124822 0 : Source 10.x.x.x:47990 - Destination 10.x.x.x:80 - Start Time 26/03/2025:21:13:15 GMT - End Time 26/03/2025:21:13:15 GMT - Total_bytes_send 1 - Total_bytes_recv 1
@pytest.mark.addons("citrix")
@patch.dict(
os.environ,
{
"SC4S_IGNORE_MMDD_LEGACY_CITRIX_NETSCALER": "yes",
},
clear=False
)
def test_citrix_netscaler_new_date_format(
record_property, setup_splunk, setup_sc4s, get_pid
):
host = f"test-ctitrixns-host-{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}"
pid = get_pid

dt = datetime.datetime.now(datetime.timezone.utc)
_, bsd, time, _, _, tzname, epoch = time_operations(dt)

# Tune time functions
time = dt.strftime("%d/%m/%Y:%H:%M:%S")
epoch = epoch[:-7]

mt = env.from_string(
"{{ mark }} {{ time }} GMT {{ host }} 0-PPE-0 : default TCP CONN_TERMINATE 1874124822 0 : Source 10.x.x.x:47990 - Destination 10.x.x.x:80 - Start Time 26/03/2025:21:13:15 GMT - End Time 26/03/2025:21:13:15 GMT - Total_bytes_send 1 - Total_bytes_recv 1\n"
)
message = mt.render(
mark="<134>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid
)

sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string(
'search _time={{ epoch }} index=netfw host={{ host }} sourcetype="citrix:netscaler:syslog"'
)
search = st.render(epoch=epoch, host=host, pid=pid)

result_count, _ = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", result_count)
record_property("message", message)

assert result_count == 1

# [289]: AAA Message : In receive_ldap_user_search_event: ldap_first_entry returned null, user ssgconfig not found
@pytest.mark.addons("citrix")
Expand Down
Loading