[citrix_adc] Parse addition message formats (elastic#15598)

Add grok parsing patterns for grok_sslvpn_clisec_check and
grok_sslvpn_clisec_exp_eval to handle additional message formats, and
add test cases to cover the additional formats.

Author: mjwolf

packages/citrix_adc/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.17.3"
+  changes:
+    - description: "Add support for additional log format patterns in sslvpn_clisec"
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15598
 - version: "1.17.2"
   changes:
     - description: "Fix grok processing for HTTPREQUEST and UDPFLOWSTAT in sslvpn_and_aaatm_feature pipeline with optional patterns."

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log

@@ -1,2 +1,5 @@
 <134> 11/18/2024:11:11:00 GMT DCLVNSGP001 0-PPE-1 : default SSLVPN HTTPREQUEST 12345678 0 : [TECHSUPPORT][ENUMERATION] some.url.com User [email protected] : Group(s) N/A : Vserver 0.0.0.0:300 - 09/04/2025:18:24:45 GMT : Message = SSO is OFF : GET /path/path.xml - -
 <134> 09/04/2025:18:24:36 GMT DCLVNSGP001 0-PPE-6 : default SSLVPN UDPFLOWSTAT 58680561 0 : [TECHSUPPORT] User username.example.com - Client_ip 175.16.199.1 - Nat_ip 89.160.20.129 - Vserver 67.43.156.1:443 - Source 81.2.69.194:63685 - Destination 1.128.0.1:53 - Start_time "09/09/2024:20:44:03 GMT" - End_time "09/09/2024:20:46:06 GMT" - Duration 00:05:53  - Total_bytes_send 656 - Total_bytes_recv 2456 - Access Allowed - Group(s) "N/A"
+<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891628 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine
+<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891629 0 :  CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine
+<135> 10/03/2025:13:52:23 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 248708109 0 :  CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS" - Client_security_check passed

packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native-14-1.log-expected.json

@@ -216,6 +216,253 @@
             "user": {
                 "name": "username.example.com"
             }
+        },
+        {
+            "@timestamp": "2025-10-03T14:06:57.000Z",
+            "citrix": {
+                "cef_format": false,
+                "default_class": true,
+                "detail": "<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891628 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine",
+                "device_event_class_id": "SSLVPN",
+                "extended": {
+                    "message": "CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine"
+                },
+                "host": "PRODSYST001",
+                "name": "CLISEC_EXP_EVAL"
+            },
+            "citrix_adc": {
+                "log": {
+                    "client_ip": "192.0.2.0",
+                    "client_security_check_status": "PASSED(0)",
+                    "message": "CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine",
+                    "vserver": {
+                        "ip": "198.51.100.2",
+                        "port": 443
+                    }
+                }
+            },
+            "client": {
+                "as": {
+                    "number": 64500,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Las Vegas",
+                    "continent_name": "North America",
+                    "country_iso_code": "US",
+                    "country_name": "United States",
+                    "location": {
+                        "lat": 36.17497,
+                        "lon": -115.13722
+                    },
+                    "region_iso_code": "US-NV",
+                    "region_name": "Nevada"
+                },
+                "ip": "192.0.2.0"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "authentication"
+                ],
+                "id": "249891628",
+                "kind": "event",
+                "original": "<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891628 0 : CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.APPLICATION('ANTIVIR_9398_3882_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS PASSED(0) on the client machine",
+                "severity": 0,
+                "timezone": "GMT",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "hostname": "PRODSYST001",
+                "product": "Netscaler",
+                "type": "firewall",
+                "vendor": "Citrix"
+            },
+            "related": {
+                "ip": [
+                    "198.51.100.2",
+                    "192.0.2.0"
+                ]
+            },
+            "server": {
+                "ip": "198.51.100.2",
+                "port": 443
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "@timestamp": "2025-10-03T14:06:57.000Z",
+            "citrix": {
+                "cef_format": false,
+                "default_class": true,
+                "detail": "<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891629 0 :  CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine",
+                "device_event_class_id": "SSLVPN",
+                "extended": {
+                    "message": "CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine"
+                },
+                "host": "PRODSYST001",
+                "name": "CLISEC_EXP_EVAL"
+            },
+            "citrix_adc": {
+                "log": {
+                    "client_ip": "192.0.2.0",
+                    "client_security_check_status": "PASSED(0)",
+                    "message": "CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine",
+                    "vserver": {
+                        "ip": "198.51.100.2",
+                        "port": 443
+                    }
+                }
+            },
+            "client": {
+                "as": {
+                    "number": 64500,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Las Vegas",
+                    "continent_name": "North America",
+                    "country_iso_code": "US",
+                    "country_name": "United States",
+                    "location": {
+                        "lat": 36.17497,
+                        "lon": -115.13722
+                    },
+                    "region_iso_code": "US-NV",
+                    "region_name": "Nevada"
+                },
+                "ip": "192.0.2.0"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "authentication"
+                ],
+                "id": "249891629",
+                "kind": "event",
+                "original": "<135> 10/03/2025:14:06:57 GMT PRODSYST001 0-PPE-4 : default SSLVPN CLISEC_EXP_EVAL 249891629 0 :  CaseID cbed1: - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client security check CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS PASSED(0) on the client machine",
+                "severity": 0,
+                "timezone": "GMT",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "hostname": "PRODSYST001",
+                "product": "Netscaler",
+                "type": "firewall",
+                "vendor": "Citrix"
+            },
+            "related": {
+                "ip": [
+                    "198.51.100.2",
+                    "192.0.2.0"
+                ]
+            },
+            "server": {
+                "ip": "198.51.100.2",
+                "port": 443
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "@timestamp": "2025-10-03T13:52:23.000Z",
+            "citrix": {
+                "cef_format": false,
+                "default_class": true,
+                "detail": "<135> 10/03/2025:13:52:23 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 248708109 0 :  CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check passed",
+                "device_event_class_id": "SSLVPN",
+                "extended": {
+                    "message": "CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check passed"
+                },
+                "host": "PRODSYST001",
+                "name": "CLISEC_CHECK"
+            },
+            "citrix_adc": {
+                "log": {
+                    "client_ip": "192.0.2.0",
+                    "client_security_check_status": "passed",
+                    "client_security_expression": "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS",
+                    "message": "CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check passed",
+                    "vserver": {
+                        "ip": "198.51.100.2",
+                        "port": 443
+                    }
+                }
+            },
+            "client": {
+                "as": {
+                    "number": 64500,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Las Vegas",
+                    "continent_name": "North America",
+                    "country_iso_code": "US",
+                    "country_name": "United States",
+                    "location": {
+                        "lat": 36.17497,
+                        "lon": -115.13722
+                    },
+                    "region_iso_code": "US-NV",
+                    "region_name": "Nevada"
+                },
+                "ip": "192.0.2.0"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "authentication"
+                ],
+                "id": "248708109",
+                "kind": "event",
+                "original": "<135> 10/03/2025:13:52:23 GMT PRODSYST001 0-PPE-7 : default SSLVPN CLISEC_CHECK 248708109 0 :  CaseID: f0ce9 - Client IP 192.0.2.0 - Vserver 198.51.100.2:443 - Client_security_expression \"CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_example.com.jp[COMMENT: Domain check]') EXISTS && CLIENT.APPLICATION('ANTIVIR_1346_3064_RTP_==_TRUE[COMMENT: Cortex XDR]') EXISTS\" - Client_security_check passed",
+                "severity": 0,
+                "timezone": "GMT",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "hostname": "PRODSYST001",
+                "product": "Netscaler",
+                "type": "firewall",
+                "vendor": "Citrix"
+            },
+            "related": {
+                "ip": [
+                    "198.51.100.2",
+                    "192.0.2.0"
+                ]
+            },
+            "server": {
+                "ip": "198.51.100.2",
+                "port": 443
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ]
         }
     ]
 }

packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml

@@ -121,6 +121,7 @@ processors:
       field: citrix.extended.message
       patterns:
         - '^%{WORD:citrix_adc.log.alert_type} ?: %{WORD:citrix_adc.log.alert_level} - ClientIP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression "%{DATA:citrix_adc.log.client_security_expression}" - ?$'
+        - "^CaseID: %{WORD} - Client IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression \"%{GREEDYDATA:citrix_adc.log.client_security_expression}\" - Client_security_check %{WORD:citrix_adc.log.client_security_check_status}$"
 
   - grok:
       tag: grok_sslvpn_sta_validate_resp
@@ -142,6 +143,7 @@ processors:
       field: citrix.extended.message
       patterns:
         - '^User %{USER:citrix_adc.log.user}%{SPACE}:%{SPACE}- Client%{SPACE}IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client%{SPACE}security%{SPACE}check%{SPACE}Passed\(%{NUMBER:citrix_adc.log.client_security_check_status:int}\)%{SPACE}on%{SPACE}the%{SPACE}client%{SPACE}machine$'
+        - "^CaseID %{WORD}: - Client IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client security check %{GREEDYDATA} EXISTS %{GREEDYDATA:citrix_adc.log.client_security_check_status} on the client machine$"
 
   - grok:
       tag: grok_sslvpn_message

packages/citrix_adc/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: citrix_adc
 title: Citrix ADC
-version: "1.17.2"
+version: "1.17.3"
 description: This Elastic integration collects logs and metrics from Citrix ADC product.
 type: integration
 categories: