You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I have Splunk 9.3.3 and latest SC4S 3.37 and I have some logs already being parsed via SC4S (PaloAlto and Stormshield).
The issue appeared while trying to ingest Citrix syslog events. After configuring Citrix to send audit logs to SC4S, I see the events arriving in SC4S via UDP/514 (using tcpdump). Unfortunately I dont see any event in splunk.
14:34:13.720206 IP (tos 0x0, ttl 254, id 2013, offset 0, flags [none], proto UDP (17), length 314) 192.168.XX.XXX.5490 > 192.168.XX.XXX.syslog: [udp sum ok] SYSLOG, length: 286 Facility local0 (16), Severity info (6) Msg: 1 2025-07-07T12:27:28Z XXXXXXX TCP 0-PPE-0 - - default CONN_DELINK 43355 0 : Source 85.215.68.62:36550 - Vserver 192.168.XX.XXX:443 - NatIP 192.168.XX.XXX:9258 - Destination 192.168.XX.XXX:443 - Delink Time 07/07/2025:12:27:28 GMT - Total_bytes_send 0 - Total_bytes_recv 378\0x0a ......
I checked the documentation and Citrix appears as known vendor so I assumed I didnt have to configure anything else.
could someone tell me what I am missing?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I have Splunk 9.3.3 and latest SC4S 3.37 and I have some logs already being parsed via SC4S (PaloAlto and Stormshield).
The issue appeared while trying to ingest Citrix syslog events. After configuring Citrix to send audit logs to SC4S, I see the events arriving in SC4S via UDP/514 (using tcpdump). Unfortunately I dont see any event in splunk.
14:34:13.720206 IP (tos 0x0, ttl 254, id 2013, offset 0, flags [none], proto UDP (17), length 314) 192.168.XX.XXX.5490 > 192.168.XX.XXX.syslog: [udp sum ok] SYSLOG, length: 286 Facility local0 (16), Severity info (6) Msg: 1 2025-07-07T12:27:28Z XXXXXXX TCP 0-PPE-0 - - default CONN_DELINK 43355 0 : Source 85.215.68.62:36550 - Vserver 192.168.XX.XXX:443 - NatIP 192.168.XX.XXX:9258 - Destination 192.168.XX.XXX:443 - Delink Time 07/07/2025:12:27:28 GMT - Total_bytes_send 0 - Total_bytes_recv 378\0x0a ......I checked the documentation and Citrix appears as known vendor so I assumed I didnt have to configure anything else.
could someone tell me what I am missing?
thanks a lot.
Beta Was this translation helpful? Give feedback.
All reactions