Merge pull request #1388 from SEKOIA-IO/fix/citrix_adc_warning

Fix: Citrix ADC fix warning (315)
SEKOIA-IO · Dec 11, 2024 · 838ce6c · 838ce6c
2 parents ff1dd4b + 49a3f0a
commit 838ce6c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 16 deletions.
diff --git a/Citrix/citrix-adc/ingest/parser.yml b/Citrix/citrix-adc/ingest/parser.yml
@@ -90,7 +90,7 @@ pipeline:
           CIPHER_SUITE: '"?"?[\w\-\.]+"?"?'
 
   - name: set_audit_log_fields
-    filter: '{{not original.message.startswith("CEF")}}'
+    filter: '{{not original.message.startswith("CEF") and parse_audit_header.message.type not in ["AAATM"]}}'
 
   - name: set_connection_log_fields
     filter: "{{ parse_audit_header.message.type == 'TCP' }}"
@@ -105,25 +105,29 @@ pipeline:
     filter: "{{ parse_audit_header.message.type == 'SSLLOG' }}"
 
   - name: set_other_log_fields
-    filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP'] }}"
+    filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP', 'AAATM'] }}"
 
 stages:
   set_cef_header_fields:
     actions:
       - set:
           event.kind: "alert"
           event.dataset: "alert"
+
       - set:
           observer.vendor: "{{parsed_event.message.DeviceVendor}}"
           observer.product: "{{parsed_event.message.DeviceProduct}}"
           observer.version: "{{parsed_event.message.DeviceVersion}}"
+
       - set:
           source.ip: "{{parsed_event.message.src}}"
           source.port: "{{parsed_event.message.spt}}"
+
       - set:
           event.reason: "{{parsed_event.message.msg}}"
           event.action: "{{parsed_event.message.act}}"
           event.category: ["network"]
+
       - set:
           url.original: "{{parsed_event.message.request}}"
       - set:

diff --git a/Citrix/citrix-adc/tests/test_aaatm.json b/Citrix/citrix-adc/tests/test_aaatm.json
@@ -4,20 +4,12 @@
   },
   "expected": {
     "message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 :  \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
-    "event": {
-      "category": [
-        "network"
-      ],
-      "code": "Message",
-      "dataset": "audit_aaatm",
-      "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
-      "type": [
-        "connection"
-      ]
-    },
-    "@timestamp": "2023-09-29T07:40:56Z",
-    "observer": {
-      "name": "ADC"
+    "sekoiaio": {
+      "intake": {
+        "parsing_warnings": [
+          "No fields extracted from original event"
+        ]
+      }
     }
   }
 }