elastic
diff --git a/‎.buildkite/pipeline.schedule-daily.yml‎
Lines changed: 1 addition & 1 deletion b/‎.buildkite/pipeline.schedule-daily.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/azure/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/azure/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/azure/manifest.yml‎
Lines changed: 1 addition & 1 deletion b/‎packages/azure/manifest.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/azure_functions/_dev/build/docs/README.md‎
Lines changed: 6 additions & 1 deletion b/‎packages/azure_functions/_dev/build/docs/README.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎packages/azure_functions/docs/README.md‎
Lines changed: 6 additions & 1 deletion b/‎packages/azure_functions/docs/README.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎packages/citrix_adc/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/citrix_adc/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log‎
Lines changed: 1 addition & 0 deletions b/‎packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json‎
Lines changed: 47 additions & 0 deletions b/‎packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-sslvpn-message.log-expected.json‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml‎
Lines changed: 3 additions & 1 deletion b/‎packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎packages/citrix_adc/manifest.yml‎
Lines changed: 1 addition & 1 deletion b/‎packages/citrix_adc/manifest.yml‎
Lines changed: 1 addition & 1 deletion
@@ -21,7 +21,7 @@ steps:
       env:
         SERVERLESS: "false"
         FORCE_CHECK_ALL: "true"
-        STACK_VERSION: 7.17.24-SNAPSHOT
+        STACK_VERSION: 7.17.25-SNAPSHOT
     depends_on:
       - step: "check"
         allow_failure: false
 
@@ -1,3 +1,8 @@
+- version: "1.15.0"
+  changes:
+    - description: Add new section on Azure Functions hosting plans.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10984
 - version: "1.14.0"
   changes:
     - description: Add global dataset filter for dashboards to improve performance.
 
@@ -1,6 +1,6 @@
 name: azure
 title: Azure Logs
-version: 1.14.0
+version: 1.15.0
 description: This Elastic integration collects logs from Azure
 type: integration
 icons:
 
@@ -2,8 +2,13 @@
 
 The Azure Functions integration allows you to monitor Azure Functions. Azure Functions is an event-driven, serverless compute platform that helps you develop more efficiently using the programming language of your choice. Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger. 
 
-Use this integration to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
+Use Azure Functions to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
 
+## Hosting plans and metrics
+
+Each Azure Functions app requires a hosting plan: Consumption plan, Flex Consumption plan, Premium plan, Dedicated plan, or Container Apps. For more details on the various plans, check the [Azure Functions hosting options](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale?WT.mc_id=Portal-WebsitesExtension).
+
+These plans differ from eachother in the number of metrics they generate, which are then exported outside of Azure for other monitoring solutions like Elastic Observability. For example, metrics specific to Azure Function Apps, such as 'FunctionExecutionCount' and 'FunctionExecutionUnits', are only available for function apps operating on a Consumption (serverless) plan and are not observed in other plans. On the other hand, all other metrics are generated exclusively for Premium and Dedicated plans and are not available for the Consumption plan.
 
 ## Data streams
 The Azure Functions integration contains two data streams: [Function App Logs](#logs) and [Metrics](#metrics)
 
@@ -2,8 +2,13 @@
 
 The Azure Functions integration allows you to monitor Azure Functions. Azure Functions is an event-driven, serverless compute platform that helps you develop more efficiently using the programming language of your choice. Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger. 
 
-Use this integration to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
+Use Azure Functions to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
 
+## Hosting plans and metrics
+
+Each Azure Functions app requires a hosting plan: Consumption plan, Flex Consumption plan, Premium plan, Dedicated plan, or Container Apps. For more details on the various plans, check the [Azure Functions hosting options](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale?WT.mc_id=Portal-WebsitesExtension).
+
+These plans differ from eachother in the number of metrics they generate, which are then exported outside of Azure for other monitoring solutions like Elastic Observability. For example, metrics specific to Azure Function Apps, such as 'FunctionExecutionCount' and 'FunctionExecutionUnits', are only available for function apps operating on a Consumption (serverless) plan and are not observed in other plans. On the other hand, all other metrics are generated exclusively for Premium and Dedicated plans and are not available for the Consumption plan.
 
 ## Data streams
 The Azure Functions integration contains two data streams: [Function App Logs](#logs) and [Metrics](#metrics)
 
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+  changes:
+    - description: "Improve handling of SSLVPN Message."
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11121
 - version: "1.8.0"
   changes:
     - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."
 
@@ -0,0 +1 @@
+<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : "[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400"
@@ -0,0 +1,47 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-09-09T14:13:39.000Z",
+            "citrix": {
+                "cef_format": false,
+                "default_class": true,
+                "detail": "<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : \"[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400\"",
+                "device_event_class_id": "SSLVPN",
+                "extended": {
+                    "message": "[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400"
+                },
+                "host": "PRODSY3VPX01",
+                "name": "Message"
+            },
+            "citrix_adc": {
+                "log": {
+                    "message": "[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "authentication"
+                ],
+                "id": "30461998",
+                "original": "<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : \"[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400\"",
+                "severity": 0,
+                "timezone": "UTC",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Netscaler",
+                "type": "firewall",
+                "vendor": "Citrix"
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ]
+        }
+    ]
+}
@@ -10,9 +10,11 @@ processors:
       tag: grok_detail
       field: citrix.detail
       patterns:
+        - '^%{SPACE}%{HEADER_NOTIMEZONE} : %{DATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"'
         - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"'
         - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}'
       pattern_definitions:
+        HEADER_NOTIMEZONE: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}'
         HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone}? (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}'
         NATIVE_TIMESTAMP: '(?:%{MONTHNUM}/%{MONTHDAY}/%{YEAR}|%{YEAR}/%{MONTHNUM}/%{MONTHDAY}|%{MONTHDAY}/%{MONTHNUM}/%{YEAR}):%{HOUR}:%{MINUTE}:%{SECOND}'  
   - grok:
@@ -83,7 +85,7 @@ processors:
   - pipeline:
       name: '{{ IngestPipeline "sslvpn_and_aaatm_feature" }}'
       tag: pipeline_sslvpn_and_aaatm_feature
-      if: ctx.citrix?.device_event_class_id != null && (ctx.citrix.device_event_class_id == "SSLVPN" || ctx.citrix.device_event_class_id == "AAATM")
+      if: ctx.citrix?.device_event_class_id != null && ((ctx.citrix.device_event_class_id == "SSLVPN" && !ctx.citrix?.name?.equalsIgnoreCase("MESSAGE")) || ctx.citrix.device_event_class_id == "AAATM")
   - pipeline:
       name: '{{ IngestPipeline "ci_feature" }}'
       tag: pipeline_ci_feature
 
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: citrix_adc
 title: Citrix ADC
-version: "1.8.0"
+version: "1.8.1"
 description: This Elastic integration collects logs and metrics from Citrix ADC product.
 type: integration
 categories:
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<135> 09/09/2024:14:13:39 PRODSY3VPX01 0-PPE-0 : default SSLVPN Message 30461998 0 : "[Remote ip = 109.117.241.115:5019] {ns_handle_free_resources:13910} freeing sta resource for pcb:{src-ip:port=109.117.241.115:5019} <-> {dst-ip:port=75.60.204.46:443} pcbdevno=0xa14452, user_domain=(, ns_aaa->csg_flags=0x400"`