-
Notifications
You must be signed in to change notification settings - Fork 397
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Citrix ADC] Syslog messages are not according to documentation #10153
Comments
@piyush-elastic could you please look at this one. |
I got an email notification that I'm not seeing in the thread here - but, to answer the question - yes, our ADC/Netscaler has been in production for quite a while (we keep it up-to-date), it is a virtual appliance that was migrated from a legacy MPX back in the day. Are you thinking that there is a legacy setting on the ADC that needs to be adjusted? |
that was me. I had a mistake in there but wasn't near a computer to correct it. But for anyone who missed it, I'd asked the device was from before Citrix rebranded the Netscaler to ADC. The non-working format in the OP does match older parsers from before that, and our logs also have this format (device purchased prior to 2020, but up to date in terms of version). I do think that it may be a scenario where the format isn't updated (maybe to not break existing logging ?) on older devices. I don't know how to verify or change that though as I'm not our Citrix admin, or I'd be able to test this before waiting for our new unit to be up. |
So looking closer at our configuration, I think what we're seeing is the use of classic policies. These were deprecated before 13.0. The logs in However, I don't think that is the issue here. Looking at the pipeline, it does fail to match that first grok pattern but the entire |
Could either of you share a few more (redacted) sample logs or the error message? I applied the following to our new, and old, devices
The format still differs but in my case I am missing the time zone (need to try not setting it in the config I guess) but after I edited the native pipeline to make that an optional match it works. But the sample logs in the OP also worked without any edits via the grok debugger. edit: looking at logs that have come in, it does look like additional parsers for things like Citrix Gateway / Storefront events are needed. |
Sorry for 4 comments here but I've identified the cause. There is/may be a trailing space at the end of I was able to resolve this by modifying the feature pipelines to match by inserting Our logs are missing the timezone so the I have not tested beyond these samples but looking at Citrix's Docs,this is likely the case. In any case where the log ends in variable. I opened an issue on citrix's citrix/devdocs-issue-collector#36 a while back, after noticing there being no spaces where they should be. Now it seems that the case may be that a variable, such as Sample event from our deployment
Grok pattern in
Sample event from issue The trailing space is an assumption here since the event appears to process fine without it.
Grok pattern in
Verifying with call to
|
As @eriroley mentioned in #9592 , the Citrix ADC messages received over syslog are missing the fields
even though the documentation of citrix adc clearly states, that the logs are to be expected in this format. Therefore the grok pattern fails. We double checked all the settings, but the log message format is not configurable for adc logs.
As of our understanding, the logfile format with the timestamp, level and client ip is only valid for logs saved to the
/var/log
folder.integrations/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Lines 26 to 37 in 7cdf580
Here are some example messages:
The text was updated successfully, but these errors were encountered: