Skip to content

[Citrix ADC] Add parsing for APPFW native messages with IP-based format #17367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
haetamoudi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Citrix ADC] Add parsing for APPFW native messages with IP-based format #17367

haetamoudi wants to merge 1 commit into from
+201 −5

Conversation

@haetamoudi
Copy link
Contributor

@haetamoudi haetamoudi commented Feb 11, 2026

Fixes: https://github.com/elastic/sdh-beats/issues/6878

Proposed commit message

Add parsing for APPFW native messages with IP-based format

Fixes parsing issues with Citrix ADC Application Firewall (APPFW) logs from Netscaler ADC 14.1 in two scenarios:

  1. RFC5424 Native APPFW Messages
    Problem: APPFW_POLICY_HIT messages with IP-based format not fully parsed. Fields like source.ip, profile names, and URLs are unparsed in citrix_adc.log.message.
    Fix: Updated grok patterns in appfw_feature.yml to correctly extract missing fields from IP-based APPFW messages.

  2. CEF Messages in RFC5424 Syslog
    Problem: CEF messages wrapped in RFC5424 syslog headers routed to the CEF pipeline, leaving them unparsed in citrix.extended.message.
    Fix: Update default.yml to detect CEF content after native RFC5424 parsing and route it to the CEF pipeline. This adds support for CEF over syslog (not just file-based CEF).

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Screenshots

@haetamoudi haetamoudi requested review from a team as code owners February 11, 2026 09:32
@haetamoudi haetamoudi added Integration:citrix_adc Citrix ADC bugfix Pull request that fixes a bug issue Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Feb 11, 2026
@elasticmachine
Copy link

elasticmachine commented Feb 11, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Feb 11, 2026
edited
Loading

🚀 Benchmarks report

Package citrix_adc 👍(5) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
vpn 6369.43 5235.6 -1133.83 (-17.8%) 💔

To see the full report comment with /test benchmark fullreport

@haetamoudi
Fix APPFW_POLICY_HIT message parsing to extract source.ip, profile na…
049894a 
…mes, and URLs.

parse cef on top of native

update pr number

update values
@haetamoudi haetamoudi force-pushed the 6878-issue-parsing-netscaler-appfw-logs-as-either-cef-or-syslog-message branch from 9b59476 to 049894a Compare February 11, 2026 10:25
@elasticmachine
Copy link

elasticmachine commented Feb 11, 2026

💚 Build Succeeded

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bugfix Pull request that fixes a bug issue Integration:citrix_adc Citrix ADC Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haetamoudi @elasticmachine