Product Documentation

Monitoring AppFirewall Syslog Events

May 27, 2015

Use Command Center to monitor security violations encountered on the NetScaler devices by the Application Firewall module. Run built-in reports to monitor the top security violations encountered by the application firewall feature. Also, view the details of the AppFirewall log messages when a message is generated on a security violation. Further configure views to monitor specific violations, and use the Search functionality to search for specific log messages.

This topic includes the following details:

Using the Dashboard

Use the Application Firewall dashboard to monitor security violations encountered on the NetScaler devices by the Application Firewall module. By default, you can view the security violations encountered in the last one week during the day.

To monitor the AppFirewall syslog events dashboard

  1. On the Reporting tab, in the left pane, under AppFirewall, click Dashboard.
  2. In the right pane, under Dashboard, you can view the following:
    • Violations by type: Specifies the number of violations for each type of threat, such as Deny URL, SQL Injection, and Cross-site Script.
    • Number of violations: Specifies the total number of violations that are blocked, not blocked, and transformed.
    • Signature violations by category: Specifies the number of violations encountered by types of application firewall signatures, such as web-cgi, web-client, and so on. The application firewall signatures function provides specific rules (or signatures), and specific SQL injection and cross-site scripting patterns, that protect your Web sites against known attacks. For more information about signatures, see the "Signatures" chapter in the Citrix Application Firewall Guide.
    • Top 5 clients by violations: Specifies the top five clients that have encountered security violations.
    • Top 5 NetScalers by violations: Specifies the top five devices that have encountered security violations.
    • Top 5 profiles by violations: Specifies the top five profiles that have encountered security violations.
    • Recent 5 violations: Specifies the recent five security violations.
  3. To view violations in the last 24 hours, or last 2 weeks, or for a custom period of time, under Dashboard, click Settings.

Using Reports

Command Center provides four built-in reports to monitor the top security violations encountered by the application firewall feature. These reports let you monitor violations encountered by clients, devices, and profiles, and also the different types of violations.

The four reports are:

  • Top violations by client
  • Top violations by profile
  • Top violations by device
  • Top violations by type
  • Top signature violations by category

To monitor the AppFirewall syslog events using reports

  1. On the Reporting tab, in the left pane, under AppFirewall, click Reports.
  2. In the right pane, under Reports, you can do the following:
    • View Graphs: Click the built-in report and click View Graph to view the graphical report of the top 5, 10, 15, or 20 violations encountered during the last 24 hours, one week, two weeks, or a period of time.
    • Schedule Reports: Click the built-in report, and click Schedule Report to run the violations reports at a later date and time.
    • View Scheduled Reports: Click Scheduled Reports to view the details of the date and time when the reports are scheduled to be run.

Viewing Recent Log Messages

You can view the details of the AppFirewall log messages when a message is generated on a security violation. You can also search for specific log messages based on the entire message text or a substring of the message.

To view the recent AppFirewall Log Messages

  1. On the Reporting tab, in the left pane, under AppFirewall, click Recent Logs.
  2. In the right pane, under Recent Logs, you can view the following details for each security violation:
    • Date/Time: Specifies the date and time when the violation was encountered.
    • Source: Specifies the IP address, the system name, or the host name of the NetScaler device on which the violation was noticed., based on the device label configuration. For more information about configuring the device label, see Configuring Server Settings.
    • Event ID: Specifies the unique identification number of every NetScaler syslog.
    • Transaction ID: Specifies the unique identification number of every AppFirewall syslog message from the NetScaler appliance.
    • Message: Specifies the message that is generated on the device when the violation occurs. The message describes the type of violation.
  3. To search for log messages based on message string, in Search type the message text or a substring of the message, and then click GO. For example, if you want to view the log messages for a specific session, such as 232173, type 232173. And, if you want to view all log messages for the profile pr_html, type pr_html.

Configuring Views

You can add views to monitor specific types of AppFirewall log messages based on the source, violation type, message generated, and date range. Views make it easier to monitor a large number of violations encountered by the AppFirewall module. For example, you can create a view to monitor all violations of type Deny URL.

The views you create are associated with your Command Center user account.

Adding Views

You can create different views for various types of AppFirewall log messages that are generated on the devices monitored in the Citrix network when a security violation is encountered.

To add views to monitor AppFirewall logs

  1. On the Reporting tab, in the left pane, under AppFirewall, expand Recent Logs, and then click Views.
  2. In the right pane, under Views, click Add.
  3. Under Create Recent Logs View, fill the following details.
    • Name: The user-defined view name. Type a name for the AppFirewall log view.
    • Devices: The IP address of the device on which the log is generated when the violation occurs. Select the IP addresses of the devices for which you want to create the view.
    • Violation Type: The type of violation encountered by AppFirewall, such as SQL Injection and Deny URL. Select the violation types for which you want to create the view.
    • Profile: The profile containing the security checks that you want the Application Firewall to use when filtering a particular request or response, and how to handle a request or response that fails a security check. Type the name of the profile for which you want to create the view.
    • Client IP: The client IP that the client used to connect to your protected Web server. Type the IP address of the client based on which you want to create the view.
    • URL: The URL to which requests are directed.
    • Message: The log message that is generated. Select the operator, such as equals, not equals, and then type the message for which you want to create the view. Note that the message should be exactly the same as it is generated on the NetScaler device.
    • From Date and To Date: The date range when the syslogs are generated. Select the range for which you want to create the view.

Modifying Views

Use the Modify View option to modify the AppFirewall views you have created.

To modify views to monitor AppFirewall logs

  1. On the Reporting tab, in the left pane, under AppFirewall, expand Recent Logs, and click Views.
  2. In the right pane, under Views, click the view name you want to modify.
  3. In the right pane, click Modify View.
  4. Under Configure Recent Log View, modify the values you want to change, and then click OK.

Searching Recent AppFirewall Log Messages

Use the Search functionality to search for specific AppFirewall log messages.

Use either the entire log message or a substring of the message to search, or use one of the following criteria to search:

  • Client IP: The IP address that the client used to connect to your protected Web server.
  • Date : The date range when the syslogs are generated. Select the date and time for which you want to search the syslog messages. You can search for Syslog messages generated within a range of time by selecting the ‘is between’ sub-criterion of date criteria.
  • Message: The syslog message that is generated. Select Message and then type the message based on which you want to search the syslog messages. Note that the message should be exactly the same as it is generated on the NetScaler device.
  • Profile: The profile containing the security checks that you want the Application Firewall to use when filtering a particular request or response, and how to handle a request or response that fails a security check. The IP addresses of the devices for which you want to search the syslog messages.
  • URL: The URL to which requests are directed.
  • Violation Type: The type of violation encountered by AppFirewall, such as SQL Injection and Deny URL.

To search for log messages

  1. On the Reporting tab, in the left pane, under AppFirewall, click Recent Logs.
  2. In the right pane, under Recent Logs, click Search icon.
  3. In the search pane, use the drop down list to select the filter criteria. Enter the search keyword in the text box. You can also use the logical operators to define the search keyword.
  4. Click + icon or press the Enter key to add the criteria, and then click Refine Search. The search results are displayed.