ADC

SYSLOG Over TCP

Syslog is a standard for sending event notification messages. These messages can be stored locally or on an external log server. Syslog enables network administrators to consolidate log messages and derive insights from the collected data.

Syslog is originally designed to work over UDP, which can transmit a huge amount of data within the same network with minimal packet loss. However, telco operators prefer to transmit syslog data over TCP, because they need reliable, ordered data transmission between networks. For example, telco tracks user activities, and TCP provides retransmission in the event of network failure.

How Syslog over TCP works

To understand how syslog over TCP works, consider two hypothetical cases:

Sam, a network administrator, wants to log significant events on an external syslog server.

XYZ Telecom, an ISP, has to transmit and store a significant amount of data on syslog servers to comply with government regulations.

In both cases, the log messages must be transmitted over a reliable channel and stored safely on an external syslog server. Unlike UDP, TCP establishes a connection, transmits messages securely, and retransmits (from sender to receiver) any data that is corrupted or lost because of network failure.

The Citrix ADC appliance sends log messages over UDP to the local syslog daemon, and sends log messages over TCP or UDP to external syslog servers.

SNIP support for Syslog

When the audit-log module generates syslog messages, it uses a Citrix ADC IP (NSIP) address as the source address for sending the messages to an external syslog server. To configure a SNIP as the source address, you must make it part of the netProfile option and bind the netProfile to the syslog action.

Note

TCP uses SNIP for sending monitoring probes to check the connectivity and then sends the logs over NSIP. Hence the syslog server must be reachable via SNIP. Net profiles can be used to redirect all the TCP syslog traffic through SNIP entirely.

Use of a SNIP address is not supported in internal logging.

Fully qualified domain name support for audit Log

Previously, the audit-log module was configured with the destination IP address of the external syslog server to which the log messages are sent. Now, the audit-log server uses a fully qualified domain name (FQDN) instead of the destination IP address. The FQDN configuration resolves the configured domain name of the syslog server to the corresponding destination IP address for sending the log messages from the audit-log module. The name server must be properly configured to resolve the domain name and avoid domain based service issues.

Note

When configuring an FQDN, server domain name configuration of the same Citrix ADC appliance in syslog action or nslog action is not supported.

Configuring Syslog over TCP by using the Command Line Interface

To configure a Citrix ADC appliance to send syslog messages over TCP by using the command line interface

At the command prompt, type:

    add audit syslogAction <name> (<serverIP> | ((<serverDomainName>[-domainResolveRetry <integer>]) | -lbVserverName<string>))[-serverPort <port>] -logLevel <logLevel>[-dateFormat <dateFormat>] [-logFacility <logFacility>]   [-tcp ( NONE | ALL )] [-acl ( ENABLED | DISABLED )][-timeZone ( GMT_TIME | LOCAL_TIME )][-userDefinedAuditlog ( YES | NO )][-appflowExport ( ENABLED | DISABLED )] [-lsn ( ENABLED | DISABLED )][-alg ( ENABLED | DISABLED )] [-subscriberLog ( ENABLED | DISABLED )][-transport ( TCP | UDP )] [-tcpProfileName <string>][-maxLogDataSizeToHold <positive_integer>][-dns ( ENABLED | DISABLED )] [-netProfile <string>]
<!--NeedCopy-->

    add audit syslogaction audit-action1 10.102.1.1 -loglevel INFORMATIONAL -dateformat MMDDYYYY -transport TCP
<!--NeedCopy-->

Adding SNIP IP address to net profile option by using the command line interface

To add a SNIP IP address to net profile by using the command line interface

At the command prompt, type:

    add netProfile <name> [-td <positive_integer>] [-srcIP <string>][-srcippersistency ( ENABLED | DISABLED )][-overrideLsn ( ENABLED | DISABLED )]add syslogaction <name> <serverIP> –loglevel all –netprofile net1
<!--NeedCopy-->
    add netprofile net1 –srcip 10.102.147.204`
<!--NeedCopy-->

Where, srcIP is the SNIP

Adding a net profile in a syslog action by using the command line interface

To add a netProfile option in a syslog action by using the command line interface

At the command prompt, type:

     add audit syslogaction <name> (<serverIP> | -lbVserverName <string>)  -logLevel <logLevel>
    -netProfile <string> …

<!--NeedCopy-->
    add syslogaction sys_act1 10.102.147.36 –loglevel all –netprofile net1
<!--NeedCopy-->

Where, -netprofile specifies the name of the configured net profile. The SNIP address is configured as part of the netProfile and this netProfile option is bound to the syslog action.

Note

You must always bind the netProfile option to the SYSLOGUDP or SYSLOGTCP services bound to the SYSLOGUDP or SYSLOGTCP load balancing virtual server, when an LB virtual server name is configured in syslog action.

Configuring FQDN support by using the command line interface

To add a server domain name to a Syslog action by using the command line interface

At the command prompt, type:

add audit syslogAction <name> (<serverIP> | ((<serverDomainName>[-domainResolveRetry <integer>]) | -lbVserverName <string>)) -logLevel <logLevel> ...
    set audit syslogAction <name> [-serverIP <ip_addr|ipv6_addr|*>]-serverDomainName <string>] [-lbVserverName <string>]-domainResolveRetry <integer>] [-domainResolveNow]
<!--NeedCopy-->

To add a server domain name to a Nslog action by using the command line interface.

At the command prompt, type:

    add audit nslogAction <name> (<serverIP> | (<serverDomainName>[-domainResolveRetry <integer>]))  -logLevel <logLevel> ...
    set audit nslogAction <name> [-serverIP <ip_addr|ipv6_addr|*>][-serverDomainName <string>] [-domainResolveRetry <integer>][-domainResolveNow]
<!--NeedCopy-->

Where serverDomainName. Domain name of the log server. Is mutually exclusive with serverIP/ lbVserverName.

DomainResolveRetry integer. Time (in seconds) that the Citrix ADC appliance waits, after a DNS resolution fails, before sending the next DNS query to resolve the domain name.

DomainResolveNow. Included if the DNS query has to be sent immediately to resolve the server’s domain name.

Configuring Syslog over TCP by using the GUI

 To configure the Citrix ADC appliance to send Syslog messages over TCP by using the GUI

  1. Navigate to System > Auditing > Syslog and select the Servers tab.
  2. Click Add and select Transport Type as TCP.

Configuring a net profile for SNIP support by using the GUI

To configure a net profile for SNIP support by using the GUI

  1. Navigate to System > Auditing > Syslog and select the Servers tab.
  2. Click Add and select a net profile from the list.

Configuring FQDN by using the GUI

To configure FQDN by using the GUI

  1. Navigate to System > Auditing > Syslog and select the Servers tab.
  2. Click Add and select a Server Type and Server Domain Name from the list.
SYSLOG Over TCP