# LCE PRM LIBRARY # Copyright 2009 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Citrix Access Gateway # # DESCRIPTION: # This library is used to process logs from a Citrix Access Gateway, # which are sent via SYSLOG. The SYSLOG messages must be sent either # directly to the Thunder server, or to a UNIX server running a Thunder # client which is 'tailing' a SYSLOG file on that system. # # LAST UPDATE: $Date: 2011/08/23 00:26:26 $ id=7545 name=This Citrix Access Gateway had a TCP connection terminate. It records number of bytes transmitted and received over the connection, with start and end time. match=TCP match=AT match= TCP CONN_TERMINATE match=IN match=ER match=CO match=ce match=Source match=est match=ion match=Destination regex=([a-zA-Z0-9._-]+) : TCP CONN_TERMINATE .* Source ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) - Destination ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-TCP_Conn_Terminate sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:application NEXT id=7546 name=This Citrix Access Gateway had a command executed. match=UI CMD_EXECUTED match=ser match=User match=ommand match=an regex=([a-zA-Z0-9._-]+) : UI CMD_EXECUTED .*Remote_ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Citrix_Access-CMD_Executed sensor:$1 srcip:$2 type:system NEXT id=7547 name=This Citrix Access Gateway logged a successful SSL handshake. match=SSLLOG SSL_HANDSHAKE_SUCCESS match=LO match=SSL regex=([a-zA-Z0-9._-]+) : SSLLOG SSL_HANDSHAKE_SUCCESS .* ClientIP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - ClientPort ([0-9]+) - VserverServiceIP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - VserverServicePort ([0-9]+) log=event:Citrix_Access-SSL_Handshake_Success sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:connection NEXT id=7548 name=This Citrix Access Gateway AAA (authentication, authorization and accounting) protocols extracted groups. match=RA match=AAA EXTRACTED_GROUPS match=AAA regex=([a-zA-Z0-9._-]+) : AAA EXTRACTED_GROUPS log=event:Citrix_Access-Extracted_Groups sensor:$1 type:system NEXT id=7549 name=This Citrix Access Gateway had a SSLVPN user successfully login. match=SSLVPN LOGIN match=IN match=LO match=SSLVPN match=SSL match=ont match=Context regex=([a-zA-Z0-9._-]+) : SSLVPN LOGIN .* User ([a-zA-Z0-9._-]+) - Client_ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*Vserver ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Login sensor:$1 user:$2 srcip:$3 dstip:$4 dstport:$5 type:login NEXT id=7550 name=This Citrix Access Gateway had a SSLVPN session receive a HTTP request. match=TP match=HTTP match=SSLVPN HTTPREQUEST match=ST match=SSLVPN match=SSL match=ser match=Vserver match=ont match=Context regex=([a-zA-Z0-9._-]+) : SSLVPN HTTPREQUEST .*\@([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* User ([a-zA-Z0-9._-]+) .*Vserver ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-HTTP_Request sensor:$1 srcip:$2 user:$3 dstip:$4 dstport:$5 type:system NEXT id=7551 name=This Citrix Access Gateway logs the TCP connection related information for a connection belonging to a SSLVPN session. match=AT match=SSLVPN TCPCONNSTAT match=ST match=CO match=SSLVPN match=SSL match=TCP match=ont match=Context regex=([a-zA-Z0-9._-]+) : SSLVPN TCPCONNSTAT .* User ([a-zA-Z0-9._-]+) .* Source ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) - Destination ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-TCP_Connstat sensor:$1 user:$2 srcip:$3 srcport:$4 dstip:$5 dstport:$6 type:connection NEXT id=7552 name=This Citrix Access Gateway had a ICA connection start recorded in syslog logging. match=SSL match=SSLVPN match=SSLVPN ICASTART match=RT match=ST match=Server port regex=([a-zA-Z0-9._-]+) : SSLVPN ICASTART .* Server port = ([0-9]+) - Server server ip = ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Citrix_Access-ICA_Start sensor:$1 dstport:$2 dstip:$3 type:system NEXT id=7553 name=This Citrix Access Gateway had a ICA connection stop recorded in syslog logging match=SSL match=SSLVPN match=AT match=EN match=SSLVPN ICAEND_CONNSTAT match=ST regex=([a-zA-Z0-9._-]+) : SSLVPN ICAEND_CONNSTAT .* Source ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) - Destination ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-ICA_End_Connstat sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:system NEXT id=7554 name=This Citrix Access Gateway had a SSLVPN session logout. match=SSL match=SSLVPN match=SSLVPN LOGOUT match=LO match=ont match=Context regex=([a-zA-Z0-9._-]+) : SSLVPN LOGOUT .* User ([a-zA-Z0-9._-]+) - Client_ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*Vserver ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Logout sensor:$1 user:$2 srcip:$3 dstip:$4 dstport:$5 type:logout NEXT id=7555 name=This Citrix Access Gateway had a SSLVPN session receive a HTTP request. match=TP match=HTTP match=SSL match=SSLVPN match=SSLVPN HTTPREQUEST match=ST match=!Vserver match=ont match=Context regex=([a-zA-Z0-9._-]+) : SSLVPN HTTPREQUEST .*\@([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* User ([a-zA-Z0-9._-]+) log=event:Citrix_Access-HTTP_Request sensor:$1 srcip:$2 user:$3 type:system NEXT id=7556 name=This Citrix Access Gateway had a start or stop saveconfig issued. match=EN match=EVENT match=SAVECONFIG regex=([a-zA-Z0-9._-]+) : EVENT S.*SAVECONFIG .* SAVECONFIG log=event:Citrix_Access-Save_Config sensor:$1 type:system NEXT id=7557 name=This Citrix Access Gateway had a server side and a client side TCP connection delinked. These are connections not being tracked. match=TCP match=OT match=TCP OTHERCONN_DELINK match=IN match=ER regex=([a-zA-Z0-9._-]+) : TCP OTHERCONN_DELINK .* Source ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) .*Destination ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Delink sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:system NEXT id=7558 name=This Citrix Access Gateway logged a handshake failure internal error. match=SSL match=SSLLOG SSL_HANDSHAKE_FAILURE match=LO match=ail match=rr match=Handshake failure-Internal Error match=an regex=([a-zA-Z0-9._-]+) : SSLLOG SSL_HANDSHAKE_FAILURE .* ClientIP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - ClientPort ([0-9]+) - VserverServiceIP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - VserverServicePort ([0-9]+) log=event:Citrix_Access-SSL_Handshake_Failure sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:error NEXT id=7559 name=This Citrix Access Gateway logged a device down. match=EN match=EVENT DEVICEDOWN match=EVENT match=ce match=Device match=St match=ate match=State DOWN regex=([a-zA-Z0-9._-]+) : EVENT DEVICEDOWN .*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Citrix_Access-Device_Down sensor:$1 srcip:$2 type:error NEXT id=7560 name=This Citrix Access Gateway had a command executed. match=ce match=ss match=Success match=UI CMD_EXECUTED match=Remote_ip (null) match=ser match=User match=ommand match=an regex=([a-zA-Z0-9._-]+) : UI CMD_EXECUTED .*Remote_ip \(null\) log=event:Citrix_Access-CMD_Executed sensor:$1 type:system NEXT id=7561 name=This Citrix Access Gateway had a SSLVPN session receive a HTTP request. match=TP match=HTTP match=SSL match=SSLVPN HTTPREQUEST match=ST match=ser match=Vserver match=ont match=Context regex=([a-zA-Z0-9._-]+) : SSLVPN HTTPREQUEST .*\@([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* User ([a-zA-Z0-9._-]+) .*Vserver ([0-9a-z]+\:[0-9a-z]+\:[0-9a-z]+\:[0-9a-z]+) log=event:Citrix_Access-HTTP_Request sensor:$1 srcip:$2 user:$3 type:system NEXT id=7562 name=This Citrix Access Gateway had a SNMP module start an alarm(usually when a value of a monitored attribute crosses the threshold value). match=EN match=EVENT match=ALERTSTARTED match=RT match=ST match=ER match=AL regex=([a-zA-Z0-9._-]+) : EVENT ALERTSTARTED log=event:Citrix_Access-SNMP_Alarm_Started sensor:$1 type:system NEXT id=7563 name=This Citrix Access Gateway had a SNMP module stop an alarm(usually when a value of a monitored attribute returns to normal state). match=EN match=EVENT match=ALERTENDED match=RT match=ER match=AL regex=([a-zA-Z0-9._-]+) : EVENT ALERTENDED log=event:Citrix_Access-SNMP_Alarm_Ended sensor:$1 type:system NEXT id=7564 name=This Citrix Access Gateway Netscaler has started. match=EN match=EVENT match=STARTSYS match=RT match=ST regex=([a-zA-Z0-9._-]+) : EVENT STARTSYS log=event:Citrix_Access-Netscaler_Started sensor:$1 type:restart NEXT id=7565 name=This Citrix Access Gateway logged when a particular CPU started. match=EN match=EVENT match=STARTCPU match=RT match=ST regex=([a-zA-Z0-9._-]+) : EVENT STARTCPU log=event:Citrix_Access-CPU_Started sensor:$1 type:restart NEXT id=7566 name=This Citrix Access Gateway logged a device out of service. match=EN match=EVENT match=EVENT DEVICEOFS regex=([a-zA-Z0-9._-]+) : EVENT DEVICEOFS .*?([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Citrix_Access-Device_Out_Of_Service sensor:$1 srcip:$2 type:error NEXT id=7567 name=This Citrix Access Gateway logged a device up. match=EN match=EVENT match=EVENT DEVICEUP regex=([a-zA-Z0-9._-]+) : EVENT DEVICEUP .*?([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Citrix_Access-Device_Up sensor:$1 srcip:$2 type:system NEXT id=7568 name=This Citrix Access Gateway network interface started. match=EN match=EVENT match=NICSTART match=RT match=ST regex=([a-zA-Z0-9._-]+) : EVENT NICSTART log=event:Citrix_Access-Network_Interface_Started sensor:$1 type:restart NEXT id=7569 name=This Citrix Access Gateway network interface stopped. match=EN match=EVENT match=NICSTOP match=ST regex=([a-zA-Z0-9._-]+) : EVENT NICSTOP log=event:Citrix_Access-Network_Interface_Stopped sensor:$1 type:system NEXT id=7570 name=This Citrix Access Gateway network interface is hung. match=EN match=EVENT match=NICHANG regex=([a-zA-Z0-9._-]+) : EVENT NICHANG log=event:Citrix_Access-Network_Interface_Hung sensor:$1 type:error NEXT id=7571 name=This Citrix Access Gateway network interface is reset. match=EN match=EVENT match=NICRESET match=SE regex=([a-zA-Z0-9._-]+) : EVENT NICRESET log=event:Citrix_Access-Network_Interface_Reset sensor:$1 type:system NEXT id=7572 name=This Citrix Access Gateway network interface is bound or unbound from a channel. match=EN match=EVENT match=AT match=RA match=NICMIGRATE regex=([a-zA-Z0-9._-]+) : EVENT NICMIGRATE log=event:Citrix_Access-Network_Interface_Migrate sensor:$1 type:system NEXT id=7573 name=This Citrix Access Gateway Netscaler system is stopped. match=EN match=EVENT match=STOPSYS match=ST regex=([a-zA-Z0-9._-]+) : EVENT STOPSYS log=event:Citrix_Access-Netscaler_Stopped sensor:$1 type:restart NEXT id=7574 name=This Citrix Access Gateway bad memory is freed(internal error). match=EN match=EVENT match=FREEBADMEM regex=([a-zA-Z0-9._-]+) : EVENT FREEBADMEM log=event:Citrix_Access-Bad_Memory_Freed sensor:$1 type:error NEXT id=7575 name=This Citrix Access Gateway duplicate memory is freed(internal error). match=EN match=EVENT match=FREEDUPMEM regex=([a-zA-Z0-9._-]+) : EVENT FREEDUPMEM log=event:Citrix_Access-Duplicate_Memory_Freed sensor:$1 type:error NEXT id=7576 name=This Citrix Access Gateway the wrong pool of memory is freed(internal error). match=EN match=EVENT match=FREEEXTMEM regex=([a-zA-Z0-9._-]+) : EVENT FREEEXTMEM log=event:Citrix_Access-Wrong_Pool_Memory_Freed sensor:$1 type:error NEXT id=7577 name=This Citrix Access Gateway high availability propagation has succeeded. match=EN match=EVENT match=PROPSUCCESS regex=([a-zA-Z0-9._-]+) : EVENT PROPSUCCESS log=event:Citrix_Access-HA_Propagation_Succeeded sensor:$1 type:system NEXT id=7578 name=This Citrix Access Gateway high availability propagation failed. match=PROPFAIL match=EN match=EVENT regex=([a-zA-Z0-9._-]+) : EVENT PROPFAIL log=event:Citrix_Access-HA_Propagation_Failed sensor:$1 type:error NEXT id=7579 name=This Citrix Access Gateway high availability state has changed. match=EN match=EVENT match=AT match=STATECHANGE match=ST regex=([a-zA-Z0-9._-]+) : EVENT STATECHANGE log=event:Citrix_Access-HA_State_Changed sensor:$1 type:system NEXT id=7580 name=This Citrix Access Gateway has started to flush the cache. match=EN match=EVENT match=CACHESTARTFLUSH match=RT match=ST regex=([a-zA-Z0-9._-]+) : EVENT CACHESTARTFLUSH log=event:Citrix_Access-Cache_Flush_Start sensor:$1 type:system NEXT id=7581 name=This Citrix Access Gateway has stopped flushing the cache. match=EN match=EVENT match=CACHESTOPFLUSH match=ST regex=([a-zA-Z0-9._-]+) : EVENT CACHESTOPFLUSH log=event:Citrix_Access-Cache_Flush_Stop sensor:$1 type:system NEXT id=7582 name=This Citrix Access Gateway had the monitor bound to the service has had its threshold reached. match=EN match=EVENT match=MONITORTH match=RT regex=([a-zA-Z0-9._-]+) : EVENT MONITORTH log=event:Citrix_Access-Monitor_Threshold_Reached sensor:$1 type:error NEXT id=7583 name=This Citrix Access Gateway has the monitor bound to the service down. match=EN match=EVENT match=MONITORDOWN regex=([a-zA-Z0-9._-]+) : EVENT MONITORDOWN log=event:Citrix_Access-Monitor_Down sensor:$1 type:error NEXT id=7584 name=This Citrix Access Gateway has the monitor bound to the service up. match=EN match=EVENT match=MONITORUP regex=([a-zA-Z0-9._-]+) : EVENT MONITORUP log=event:Citrix_Access-Monitor_Up sensor:$1 type:system NEXT id=7585 name=This Citrix Access Gateway Netscaler has started reading the configuration from ns.conf file (during boot-up). match=EN match=EVENT match=CONFIGSTART match=RT match=ST regex=([a-zA-Z0-9._-]+) : EVENT CONFIGSTART log=event:Citrix_Access-Netscaler_Reading_Config sensor:$1 type:restart NEXT id=7586 name=This Citrix Access Gateway Netscaler has completed reading the configuration from ns.conf file (during boot-up). match=EN match=EVENT match=CONFIGEND regex=([a-zA-Z0-9._-]+) : EVENT CONFIGEND log=event:Citrix_Access-Netscaler_Ended_Reading_Config sensor:$1 type:restart NEXT id=7587 name=This Citrix Access Gateway has recorded low throughput thru the NIC. match=EN match=EVENT match=CL match=NICLOW_THROUGHPUT match=LO regex=([a-zA-Z0-9._-]+) : EVENT NICLOW_THROUGHPUT log=event:Citrix_Access-Low_Throughput_Thru_NIC sensor:$1 type:error NEXT id=7588 name=This Citrix Access Gateway has recorded normal throughput thru the NIC. match=EN match=EVENT match=NICNORMAL_THROUGHPUT match=AL regex=([a-zA-Z0-9._-]+) : EVENT NICNORMAL_THROUGHPUT log=event:Citrix_Access-Normal_Throughput_Thru_NIC sensor:$1 type:system NEXT id=7589 name=This Citrix Access Gateway has recorded a restart of the PITTBOSS system due to the PID process reaching the maximum number of restarts. match=PB_ match=PB_SYSTEM_RESTART match=RT match=ST regex=([a-zA-Z0-9._-]+) : PITTBOSS PB_SYSTEM_RESTART log=event:Citrix_Access-Pittboss_System_Restart sensor:$1 type:restart NEXT id=7590 name=This Citrix Access Gateway has recorded a restart of the PITTBOSS process. match=PB_ match=PB_PROCESS_RESTART match=RT match=ST regex=([a-zA-Z0-9._-]+) : PITBOSS PB_PROCESS_RESTART log=event:Citrix_Access-Pittboss_Process_Restart sensor:$1 type:restart NEXT id=7591 name=This Citrix Access Gateway has recorded that the SSL certificate will expire soon. match=SSL match=EN match=SSLLOG SSL_CERT_EXPIRY_IMMINENT match=RT match=IN match=ER match=LO regex=([a-zA-Z0-9._-]+) : SSLLOG SSL_CERT_EXPIRY_IMMINENT log=event:Citrix_Access-SSL_Cert_Expiring_Soon sensor:$1 type:error NEXT id=7592 name=This Citrix Access Gateway had a SSLVPN session timeout. match=SSL match=SSLVPN match=SSLVPN TCPCONN_TIMEDOUT match=CO match=TCP match=ser match=Vserver regex=([a-zA-Z0-9._-]+) : SSLVPN TCPCONN_TIMEDOUT .* User ([a-zA-Z0-9._-]+) .* Client_ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* Vserver ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Session_Timeout sensor:$1 user:$2 srcip:$3 dstip:$4 dstport:$5 type:system NEXT id=7593 name=This Citrix Access Gateway had a non HTTP resource access denied. match=TP match=HTTP match=EN match=NONHTTP_RESOURCEACCESS_DENIED match=ser match=Vserver regex=([a-zA-Z0-9._-]+) : SSLVPN NONHTTP_RESOURCEACCESS_DENIED .* User ([a-zA-Z0-9._-]+) .* Source ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) - Destination ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Non_HTTP_Denied sensor:$1 user:$2 srcip:$3 srcport:$4 dstip:$5 dstport:$6 type:firewall NEXT id=7594 name=This Citrix Access Gateway had an HTTP resource access denied. match=TP match=HTTP match=EN match= HTTP_RESOURCEACCESS_DENIED regex=([a-zA-Z0-9._-]+) : SSLVPN HTTP_RESOURCEACCESS_DENIED .*?([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* User ([a-zA-Z0-9._-]+) log=event:Citrix_Access-HTTP_Denied sensor:$1 srcip:$2 user:$3 type:firewall NEXT id=7595 name=This Citrix Access Gateway had its SSLVPN license limit reached. match=SSL match=SSLVPN match=CL match=SSLVPN LICLMT_REACHED match=ser match=Vserver regex=([a-zA-Z0-9._-]+) : SSLVPN LICLMT_REACHED .* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Citrix_Access-License_Limit sensor:$1 srcip:$2 type:error NEXT id=7596 name=This Citrix Access Gateway client security check for a SSLVPN session has failed. match=ser match=User match=IP match=SSL match=SSLVPN match=CL match=SSLVPN CLISEC_CHECK match=SE match=ent match=ecu match=ion match=ty match=ss match=Client_security_expression match=ail match=le match=ed match=Client security check failed regex=([a-zA-Z0-9._-]+) : SSLVPN CLISEC_CHECK : User ([a-zA-Z0-9._-]+) - Client IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - Vserver ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Security_Check_Fails sensor:$1 user:$2 srcip:$3 dstip:$4 dstport:$5 type:error NEXT id=7597 name=This Citrix Access Gateway client security expression evaluates to false. match=ser match=User match=IP match=SSL match=SSLVPN match=CL match=SSLVPN CLISEC_EXP_EVAL match=SE match=AL match=ent match=ecu match=ion match=ty match=ss match=Clientsecurityexpression match=False regex=([a-zA-Z0-9._-]+) : SSLVPN CLISEC_EXP_EVAL : User ([a-zA-Z0-9._-]+) - Client IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - Vserver ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Citrix_Access-Security_False sensor:$1 user:$2 srcip:$3 dstip:$4 dstport:$5 type:error NEXT id=7598 name=This Citrix Access Gateway client reports a AAA login failed. match=AAA match=ail match=ailure match= AAA LOGIN_FAILED match=IN match=LO match=ent match=Client_ip match=ser match=ion match=ce match=ed match=ss match=Failure_reason "External authentication server denied access" regex=([a-zA-Z0-9._-]+) : AAA LOGIN_FAILED .*: User ([a-zA-Z0-9._-]+) - Client_ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - Failure_reason "External authentication server denied access" log=event:Citrix_AAA_Login_Failed sensor:$1 user:$2 srcip:$3 type:login-failure NEXT id=7599 name=This Citrix Access Gateway has recorded a link aggregation control protocol related event. match=ortal match=CL match=NICLACPSC regex=([a-zA-Z0-9._-]+) : NICLACPSC log=event:Citrix_Access-LACP_Event sensor:$1 type:error NEXT id=7600 name=This Citrix Access Gateway recorded a login failure to the VPN. match=MAC match=ailure match=failure match=user match=ser match= from match=from match=rom match=ogin match=Login failure for user [ match=server:vpnd: log= event:Citrix_Access-VPN_Login_Failure type:login-failure NEXT id=7601 name=This Citrix Access Gateway recorded a valid login to the VPN. match=user match=ser match=RA match=] is in the following RADIUS groups: match=in match=ing match=server:radius: log= event:Citrix_Access-VPN_Login type:login