Document toolboxDocument toolbox

cef0.citrix.netscaler

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Nov 26, 2021Version comment
2 min read

Introduction

The table cef0.citrix.netscaler identify events in CEF format generated by Citrix ADC.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

TagData table

cef0.citrix.netscaler

cef0.citrix.netscaler

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following is a sample log sent to the cef0.citrix.netscaler table. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

2021-11-19 10:47:03.298 localhost=127.0.0.1 14 CEF: 0|Citrix|NetScaler||SSLVPN Message|SSLVPN Message|Low| eventId=123456789012 msg=SSID 6ce1 Core : 0, ns_mp_iip_get_ip returned 0 mrt=1591228797641 in=-2147483648 out=-2147483648 customerID=idid customerURI=/id/id/id categorySignificance=/Informational categoryBehavior=/Found categoryDeviceGroup=/VPN catdt=Network-based IDS/IPS categoryOutcome=/Attempt categoryObject=/Host/Application/Service modelConfidence=0 severity=0 relevance=10 assetCriticality=0 priority=3 art=1591228789700 deviceSeverity=INFO act=SSID rt=1591228793000 dvcpid=87788611 oldFileId=ProcessId: 87788611 locality=1 cs1Label=Object cs2Label=Monitor cs3Label=Field cs4Label=Device cs6Label=Script deviceCustomDate1Label=End Time ahost=id.id.id.com agt=123.123.123.123 amac=00-00-00-00-00-00 av=7.9.0.8087.0 atz=UTC at=superagent_ng dvc=123.168.0.0 deviceZoneID=Mbp432AABABCDUVpYAT3UdQ||=||= deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 123.45.0.0-123.67.255.255 deviceZoneExternalID=RFC1918: 123.45.0.0-123.67.255.255 dtz=America/La_Paz eventAnnotationStageUpdateTime=1591228797650 eventAnnotationModificationTime=1591228797650 eventAnnotationAuditTrail=1,1590985766559,root,Queued,,,,||n eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1591228793000 eventAnnotationManagerReceiptTime=1591228797641 originalAgentHostName=id.id.com originalAgentAddress=123.168.0.0 originalAgentMacAddress=00-00-00-00-00-00 originalAgentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 123.45.0.0-123.67.255.255 originalAgentVersion=7.15.0.8295.0 originalAgentId=3tEAlYG4BABDo7d1iOpXjOw||=||= originalAgentType=syslog _cefVer=0.1 ad.arcSightEventPath=3tEAlYG4BABDo7d1iOpXjOw||=||= aid=aid1234

And this is how the log would be parsed:

Field

Value 

Type

Source field name

Extra fields

eventdate

2021-11-19 10:47:03.298

timestamp




hostname

localhost

str




priorityCode

14

str




cefTag

CEF

str




cefVersion

0

str




embDeviceVendor

Citrix

str




embDeviceProduct

NetScaler

str




deviceVersion



str




signatureID

SSLVPN Message

str




name

SSLVPN Message

str




severity

Low

str




_cefVer

0.1

str




rt

2020-06-03 23:59:53.0

timestamp




cs1Label

Object

str




cs2Label

Monitor

str




cs4Label

Device

str




act

SSID

str




deviceCustomDate1Label

End Time

str




in



int8




out

-2147483648

int8




cs3Label

Field

str




dvcpid

87788611

int4




cs6Label

Script

str




dvc

123.168.0.0

ip4




oldFileId

ProcessId: 87788611

str




msg

SSID 6ce1 Core : 0, ns_mp_iip_get_ip returned 0

str




eventId

123456789012

str




modelConfidence

0

str




eventAnnotationAuditTrail

1,1590985766559,root,Queued,,,,||n

str




customerID

idid

str




agt

123.123.123.123

str




categorySignificance

/Informational

str




categoryBehavior

/Found

str




originalAgentHostName

id.id.com

str




categoryObject

/Host/Application/Service

str




Severity

0

str




aid

aid1234

str




av

7.9.0.8087.0

str




originalAgentVersion

7.15.0.8295.0

str




eventAnnotationEndTime

1591228793000

str




eventAnnotationManagerReceiptTime

1591228797641

str




deviceZoneExternalID

RFC1918: 123.45.0.0-123.67.255.255

str




originalAgentId

3tEAlYG4BABDo7d1iOpXjOw||=||=

str




catdt

Network-based IDS/IPS

str




originalAgentType

syslog

str




locality

1

str




eventAnnotationModificationTime

1591228797650

str




priority

3

str




customerURI

/id/id/id

str




originalAgentAddress

123.168.0.0

str




at

superagent_ng

str




originalAgentMacAddress

00-00-00-00-00-00

str




deviceZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 123.45.0.0-123.67.255.255

str




dtz

America/La_Paz

str




eventAnnotationStageUpdateTime

1591228797650

str




eventAnnotationVersion

1

str




categoryDeviceGroup

/VPN

str




atz

UTC

str




categoryOutcome

/Attempt

str




deviceSeverity

INFO

str




deviceZoneID

Mbp432AABABCDUVpYAT3UdQ||=||=

str




assetCriticality

0

str




ahost

id.id.id.com

str




mrt

1591228797641

str




relevance

10

str




eventAnnotationFlags

0

str




art

1591228789700

str




originalAgentZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 123.45.0.0-123.67.255.255

str




amac

00-00-00-00-00-00

str




hostchain

localhost=127.0.0.1

str



✓

tag

CEF

str

cefTag

✓

rawMessage

CEF: 0|Citrix|NetScaler||SSLVPN Message|SSLVPN Message|Low| eventId=123456789012 msg=SSID 6ce1 Core : 0, ns_mp_iip_get_ip returned 0 mrt=1591228797641 in=-2147483648 out=-2147483648 customerID=idid customerURI=/id/id/id categorySignificance=/Informational categoryBehavior=/Found categoryDeviceGroup=/VPN catdt=Network-based IDS/IPS categoryOutcome=/Attempt categoryObject=/Host/Application/Service modelConfidence=0 severity=0 relevance=10 assetCriticality=0 priority=3 art=1591228789700 deviceSeverity=INFO act=SSID rt=1591228793000 dvcpid=87788611 oldFileId=ProcessId: 87788611 locality=1 cs1Label=Object cs2Label=Monitor cs3Label=Field cs4Label=Device cs6Label=Script deviceCustomDate1Label=End Time ahost=id.id.id.com agt=123.123.123.123 amac=00-00-00-00-00-00 av=7.9.0.8087.0 atz=UTC at=superagent_ng dvc=123.168.0.0 deviceZoneID=Mbp432AABABCDUVpYAT3UdQ||=||= deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 123.45.0.0-123.67.255.255 deviceZoneExternalID=RFC1918: 123.45.0.0-123.67.255.255 dtz=America/La_Paz eventAnnotationStageUpdateTime=1591228797650 eventAnnotationModificationTime=1591228797650 eventAnnotationAuditTrail=1,1590985766559,root,Queued,,,,||n eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1591228793000 eventAnnotationManagerReceiptTime=1591228797641 originalAgentHostName=id.id.com originalAgentAddress=123.168.0.0 originalAgentMacAddress=00-00-00-00-00-00 originalAgentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 123.45.0.0-123.67.255.255 originalAgentVersion=7.15.0.8295.0 originalAgentId=3tEAlYG4BABDo7d1iOpXjOw||=||= originalAgentType=syslog _cefVer=0.1 ad.arcSightEventPath=3tEAlYG4BABDo7d1iOpXjOw||=||= aid=aid1234

str


✓