So there’s actually several parsing rules applied to this log source, so you’ll have to create several parsing rules and apply them to your netscaler logs but here’s the parsers I have. I don’t have every log available parsed out since we don’t use all of the features.
Name:
netscaler - AAA LOGIN_FAILED
Filter:
AAA LOGIN_FAILED
Extracted Fields:
^<132>\s(?P<timestamp>[^\s]+)\s.*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+)\s.*?(?:User\s(?P<user>[^\s]+)\s)?\-\sClient_ip\s(?P<source_ip>[^\s]+)\s\-\sFailure_reason\s\"(?P<failure_reason>[^\"]+)"(?:\s\-\sBrowser\s(?P<user_agent>.+))?
Name:
netscaler - GUI CMD_EXECUTED
Filter:
GUI
Extracted Fields:
^<134>\s(?P<timestamp>[^\s]+)\s.*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+).*User\s(?P<user>[^\s]+)\s\-\sRemote_ip\s(?P<source_ip>[^\s]+).*?Command\s\"(?P<command>[^\"]+).*Status\s\"(?P<result>[^\"]+)\"
Name:
netscaler - ICAEND_CONNSTAT
Filter:
ICAEND_CONNSTAT
Extracted Fields:
^<134>\s(?P<timestamp>[^\s]+)\s.*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+).*Source\s(?P<source_ip>[^\:]+)\:(?P<source_port>[^\s]+)\s\-\sDestination\s(?P<destination_ip>[^\:]+)\:(?P<destination_port>[^\s]+).*?domainname\s(?P<user>\w+).*?Duration\s(?P<duration>[^\s]+).*?Total_bytes_send\s(?P<total_bytes_send>\d+)\s-\sTotal_bytes_recv\s(?P<total_bytes_recv>\d+)
Name:
netscaler - SSLVPN ICASTART
Filter:
SSLVPN ICASTART
Extracted Fields:
^<134>\s(?P<timestamp>[^\s]+)\s.*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+).*Source\s(?P<source_ip>[^\:]+)\:(?P<source_port>[^\s]+)\s\-\sDestination\s(?P<destination_ip>[^\:]+)\:(?P<destination_port>[^\s]+).*?domainname\s(?P<user>\w+).*?applicationName\s(?P<application_name>(?:\w\s\d+|[^\s])+)
Name:
netscaler - SSLVPN LOGIN
Filter:
SSLVPN LOGIN
Extracted Fields:
^<134>\s(?P<timestamp>[^\s]+)\s.*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+)\s.*?Context\s(?P<user>[^\@]+)\@(?:\w+\.com\@)?(?P<source_ip>[^\s]+).*?Vserver\s(?P<destination_ip>[^\:]+)\:(?P<destination_port>[^\s]+).*?Browser_type\s\"(?P<user_agent>[^\"]+)\".*?SSLVPN_client_type\s(?P<sslvpn_client_type>[^\s]+)
Name:
netscaler - SSLVPN LOGOUT
Filter:
SSLVPN LOGOUT
Extracted Fields:
^<134>\s(?P<timestamp>[^\s]+)\s.*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+)\s.*?User\s(?P<user>[^\s]+)\s\-\sClient_ip\s(?P<source_ip>[^\s]+).*?Vserver\s(?P<destination_ip>[^\:]+)\:(?P<destination_port>[^\s]+).*?Duration\s(?P<duration>[^\s]+).*?Total_bytes_send\s(?P<total_bytes_send>\d+)\s-\sTotal_bytes_recv\s(?P<total_bytes_recv>\d+).*?LogoutMethod\s\"(?P<logout_method>\w+)\"
Name:
NetScaler - TCP
Filter:
default TCP
Extracted Fields:
^<134>\s(?P<timestamp>[^\s]+).*?default\s(?P<feature>\w+)\s(?P<vendor_message>[^\s]+).*?Source\s(?P<source_ip>[^:]+)\:(?P<source_port>[^\s]+)\s.*?Destination\s(?P<destination_ip>[^\:]+)\:(?P<destination_port>[^\s]+).*?Total_bytes_send\s(?P<total_bytes_send>\d+)\s-\sTotal_bytes_recv\s(?P<total_bytes_recv>\d+)