Friday, July 31, 2015

Splunkin' the Windows Firewall Log automagically

Splunk and Windows Firewall logging, gettin' the fields out.

I spent a a bit of time trying to figure out how to get SPLUNK to parse out our Window Firewall logs.  I found several sites explaining how it should work.
I was able to get Transforms working by using the site .

For example, after feeding the logs into Splunk with a simple file monitor and forwarder, I would enter: " sourcetype=pfirewall | extract Transform_Windows_FW " and it would parse out the fields.

 I wanted this to happen automagically, so I tried the second part of the link above, where you edit the props.conf file.... fail.  So long story short, I edited the props.conf file to contain:

EXTRACT-date,time,action,protocol,src_ip,dst_ip,src_port,dst_port,size,info = ^(?P<date>[^ ]+)\s+(?P<time>[^ ]+)\s+(?P<action>[^ ]+)\s+(?P<protocol>\w+)[^ \n]* (?P<src_ip>[^ ]+)\s+(?P<dst_ip>[^ ]+)\s+(?P<src_port>[^ ]+)\s+(?P<dst_port>[^ ]+)\s+(?P<size>[^ ]+)(?:[^ \n]* ){8}(?P<info>\w+)

and added it to my search head.  Tested with IPv6 and it seems to work fine.
(Technically a co-worker tried this as I was trying other things, so he gets the credit)

p.s. You must edit the C:\Program Files\Splunk\etc\system\local\props.conf file, not the one in the default folder, or you might mess up some default functionality of Splunk.

Tuesday, July 21, 2015

Netscaler N00b no more?

My employer purchased a few Netscalers (NS) and put me and another dozen or so folks through training on how to configure and use it. But, nothing prepared me for the strange way Citrix and Citrix-fans write their documentation.

So here are a few things I learned in the last few weeks working with it:

 1) AD and AAA - there are many articles on how to use AAA with Active Directory. ( for example)  I searched for quite some time trying to figure out how to "link" an AD group to a NS group.  I assumed I would have to create a group on the NS, then tell the NS to associate that group with the AD group.... But no.  I wanted to customize what the NS group was called, but you cannot.  So here was my trick:  Create a group on the NS EXACTLY the way it is spelled in AD and associate it with a policy ( I used a built-in NS policy).  Then under "System, authentication, LDAP, Servers tab, the value I used was:
 "memberOf=CN=ad_group_name_here,OU=ou_where_group_is_located,DC=domain_name,DC=dopmain_name,DC=domain_name,DC=com" .  In short, a NS local group of the same name is associated with a local LDAP policy which is searched for using location in AD.
Also, here is another thing that I hope will save you some time.  LDAP using FQDNs did not work for us.  Instead, I had to create one server LDAP policy for each of our domain controllers using their individual IPs.  DNS is setup, and seems to work great with everything else tested (ping, traceroute), but it appears the Nestcaler does not handle multiple A record responses from a DNS server in this circumstance.

2) AppExpert Templates - I was experimenting with SharePoint behind the NS, and I came across the AppExpert Template for it.     It looked pretty neat, with lots of optimizations and promises of improved performance. 

I tried using many walk-troughs to implement it, but none of them seemed to work:

So, here is what I had to know to get the template properly installed:
-- The NAME you first enter MUST NOT include any special characters.  It will error towards the end with a strange message if you do.
-- You must not already have the resource of the "public endpoint" as a current Load balanced server or anywhere else if you can help it. The only thing you should have configured is the VIP configured on the NS itself.   The template will create the server for you.
--  Only a N00b like me probably thought this, but the template does not create a "load balanced" server, it created a "content switching server."  
-- If you need to delete the template, you will have to remove all of the Response, Rewrite, and all the other Policies and Actions it creates.  Luckily they will start with the name you provided above.

3) Mac address filtering -  We have some "real servers" and some VIPs behind and in front of the NS.  We could not figure out why the traffic would disappear.  It turned out that you must enable "
MAC based forwarding" under System, Settings, Configure Modes.  The networking team here hated me for a few days, and they thought I was an idiot, as their NS instance worked fine... but they didn't have anything that had to traverse a firewall.  This little checkbox was the reason it only half-worked for me.

4) Routes -  For me, the GUI is really confusing, as they have a column that says "Gateway/Owned IP/Name."  Long story short, add Routes using the CLI as it makes a hell of a lot more sense.

May your life and servers be forever balanced,