[Citrix ADC] Add parsing for APPFW native messages with IP-based format#17367
Merged
haetamoudi merged 7 commits intoelastic:mainfrom Feb 23, 2026
Conversation
haetamoudi
added
Integration:citrix_adc
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
🚀 Benchmarks reportTo see the full report comment with |
…mes, and URLs. parse cef on top of native update pr number update values
haetamoudi
force-pushed
the
6878-issue-parsing-netscaler-appfw-logs-as-either-cef-or-syslog-message
branch
from
9b59476 to
049894a
Compare
ilyannn
approved these changes
Feb 12, 2026
Contributor
ilyannn
left a comment
ilyannn
left a comment
There was a problem hiding this comment.
Looks good with minor questions
Contributor
✅ Vale Linting ResultsNo issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
andrewkroh
added
the
documentation
Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
💚 Build Succeeded
History
|
haetamoudi
added a commit
to haetamoudi/integrations
that referenced
this pull request
Feb 23, 2026
|
Package citrix_adc - 1.18.4 containing this change is available at https://epr.elastic.co/package/citrix_adc/1.18.4/ |
navnit-elastic
pushed a commit
to navnit-elastic/integrations
that referenced
this pull request
Mar 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: https://github.com/elastic/sdh-beats/issues/6878
Proposed commit message
Add parsing for APPFW native messages with IP-based format
Fixes parsing issues with Citrix ADC Application Firewall (APPFW) logs from Netscaler ADC 14.1 in two scenarios:
RFC5424 Native APPFW Messages
Problem:
APPFW_POLICY_HITmessages with IP-based format not fully parsed. Fields likesource.ip,profile names, and URLs are unparsed incitrix_adc.log.message.Fix: Updated grok patterns in
appfw_feature.ymlto correctly extract missing fields from IP-based APPFW messages.CEF Messages in RFC5424 Syslog
Problem: CEF messages wrapped in RFC5424 syslog headers routed to the CEF pipeline, leaving them unparsed in
citrix.extended.message.Fix: Update
default.ymlto detect CEF content after native RFC5424 parsing and route it to the CEF pipeline. This adds support for CEF over syslog (not just file-based CEF).Checklist
changelog.ymlfile.Screenshots