Citrix ADC

Audit log support for admin partitions

On a partitioned Citrix ADC appliance, for enhanced data security, you can configure audit logging in an administrative partition by using advanced policies. For example, you might want to view logs (states and status information) of a specific partition. It has multiple users accessing different sets of features based on their levels of authorization in the partition.

Points to remember

  1. The audit logs generated from the partition is stored as a single log file (/var/log/ns.log).
  2. Configure the audit log server’s (syslog or ns log) subnet address as the source IP address in the partition for sending the audit-log messages.
  3. The default partition uses the NSIP as the source IP address for the audit log messages by default.
  4. You can display the audit-log message by using the “show audit messages” command.

For information on audit-log configuration, see Configuring the NetScaler Appliance for Audit Logging.

Configuring audit logging in partitioned Citrix ADC appliance

Complete the following tasks to configure audit logging in an administrative partition.

  1. Configure partition subnet IP address. An IPv4 SNIP address of an administrative partition.
  2. Configure audit-log (syslog and ns log) action. An Audit action is a collection of information that specifies the messages to be logged and how to log the messages on the external log server.
  3. Configure audit-log (syslog and ns log) policies. Audit-log policies define log messages for the source partition to the syslog or ns log server.
  4. Bind audit-log policy to sysGlobal and nsGlobal entity. Bind an audit-log policy to a system global entity.
  5. Review audit-log statistics. Display the audit-log statistics and evaluate the configuration.

Configure the following by using the CLI

  1. Create a partition’s subnet IP address

    add ns ip <ip address> <subnet mask>

  2. Create a syslog action

    add audit syslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat (MMDDYYYY | DDMMYYYY )] [-transport ( TCP | UDP )]

  3. Create an ns log action

    add audit nslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat (MMDDYYYY | DDMMYYYY )]

  4. Create a syslog audit-log policies

    add audit syslogpolicy syslog-pol1 true audit-action1

  5. Create an ns log audit-log policies

    add audit nslogpolicy nslog-pol1 true audit-action1

  6. Bind an audit-log policy to syslogGlobal entity

    bind audit syslogglobal -policyName <name> -priority <priority_integer> -globalBindType SYSTEM_GLOBAL

  7. Bind an audit-log policy to nslogGlobal entity

    bind audit nslogglobal -policyName <name> -priority <priority_integer> -globalBindType SYSTEM_GLOBAL

  8. Display an audit-log statistics

    stat audit -detail

Example

add ns ip 10.102.1.1 255.255.255.0
add audit syslogAction syslog_action1 10.102.1.2 –logLevel INFORMATIONAL –dateFormat MMDDYYYY –transport UDP
add audit syslogpolicy syslog-pol1 true syslog_action1
bind audit syslogglobal –policyName syslog-pol1 –priority 1 –globalBindType SYSTEM_GLOBAL

Storing logs

When the SYSLOG or NSLOG server collects log information from all partitions, it is stored as log messages in the ns.log file. The log messages contain the following information:

  • Partition Name.
  • The IP address.
  • A time stamp.
  • The message type
  • The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
  • The message information.
Audit log support for admin partitions