Product documentation
Citrix Virtual Apps and Desktops
Current Release Service 2507 LTSR 2411 2407 2402 LTSR 2311 2203 LTSR
View PDF

Uploading the AOT logs from CVAD Core Components

December 11, 2025
Contributed by: 
C

Beginning with CVAD 2507 CU1 and CVAD 2511, AOT logs are gathered from all applicable components. The supported components include DDC, StoreFront, Citrix Director, Windows VDA, Linux VDA, Mac VDA, License Server, FAS, Cloud Connector, PVS, WEM, Session Recording, Citrix Workspace UI, and Citrix Gateway.

All CWA client logs will be made available at a particular release. Please refer to the section for real-time updates.

Centralized log forwarding configuration via Citrix Web Studio

Citrix Web Studio provides a centralized location for configuring Always-on Tracing (AOT) log forwarding across the site. This setting defines where AOT logs are sent and automatically propagates the configuration to relevant components in the environment.

When you configure the log server in Web Studio:

  • The configuration is written in the Site database.
  • Delivery Controllers retrieve the updated settings and distribute them to the VDAs in the selected delivery groups.
  • VDAs use the received configuration to forward their AOT logs to the specified log server.
  • StoreFront that participates in AOT logging receives the necessary details through the same centralized mechanism.
  • Director uses the provided AuthKey and log server details to query and display AOT logs for monitoring and troubleshooting.

This centralized approach removes the need to configure each component individually. You set up the log server details once in Web Studio, and Citrix automatically propagates the configuration across the site.

Below is the list of components that will get log server details once it is set on Web Studio:

  • Citrix Director/Monitor
  • Citrix Delivery Controller
  • Windows VDA
  • Linux VDA
  • Mac VDA
  • StoreFront
  • Session Recording Agent
  • CWAs

To configure the log server settings for on-prem environment

AOT Log Server Settings

  1. Sign in to Web Studio and select Settings in the left pane.
  2. In the Log server tile, select Add if no log server is configured.
  3. On the Log server page, turn on Enable log forwarding to log server.
  4. Enter the Log server address and Port. VDAs and Delivery Controllers use this information to forward AOT logs.

  5. Choose which components forward logs:

    1. Include Delivery Controllers: Sends AOT logs from all Delivery Controllers.

    2. Select delivery groups: Sends logs from VDAs in selected delivery groups.

      • All delivery groups: Sends logs from all VDAs.
      • Select specific delivery groups: Choose individual delivery groups to include.
  6. Enter the AuthKey generated on the log server. The dDirector uses this key to authenticate and retrieve logs.
  7. Select Save to apply the configuration.

To edit an existing configuration

To update the log server or modify the logging scope, go to Settings > Log server and select Edit.

To configure the log server settings for Citrix DaaS/Cloud environment

AOT Log Server Settings 1

Citrix Web Studio for DaaS provides a centralized location to configure Always-on Tracing (AOT) log forwarding for cloud-managed sites. This configuration determines where AOT logs are sent and controls which VDAs participate in log forwarding. Monitor uses these settings to retrieve and display logs for troubleshooting.

  1. Sign in to Web Studio and select Settings in the left pane.
  2. In the Log server tile, select Add if no log server is currently configured.
  3. On the Log server page, enter the Log server address and Port. VDAs use this information to forward AOT logs to the server.

  4. Define which VDAs forward logs:

    1. Select Select delivery groups to control the scope.
    2. All delivery groups (default) forwards logs from all VDAs in the site.
    3. To target specific VDAs, select Select specific delivery groups, and choose the delivery groups you want to include.
  5. Select the Zone (resource location) where the log server is deployed.
  6. Enter the Authkey generated by the log server. Monitor uses this key to authenticate and retrieve logs for display.
  7. Select Save to apply the configuration.

Log forwarding configuration for other components

Configure AOT logs upload for Session Recording Server

You can configure the Session Recording Server to upload AOT logs to a central log server by running the following PowerShell command on the Session Recording Server machine:

#Enable - run following command in Session Recording Server PowerShell
Enable-CitrixAOTUpload -AotDataStoreEndpoint <server address>:<server port> -Role SessionRecording

#Disable - run following command in Session Recording Server PowerShell
Disable-CitrixAOTUpload
<!--NeedCopy-->

Configure AOT logs upload for FAS

You can configure FAS to upload AOT logs to a central log server by running the following PowerShell command on the FAS Server:

#Enable - run following command in FAS PowerShell
Enable-CitrixAOTUpload -AotDataStoreEndpoint <server address>:<server port> -Role FAS

#Disable - run following command in FAS PowerShell
Disable-CitrixAOTUpload
<!--NeedCopy-->

Configure AOT logs upload for PVS

You can configure PVS to upload AOT logs to a central log server by running the following PowerShell command on the PVS Server:

#Enable - run following command in PVS PowerShell
Enable-CitrixAOTUpload -AotDataStoreEndpoint <server address>:<server port> -Role PVS

#Disable - run following command in PVS PowerShell
Disable-CitrixAOTUpload
<!--NeedCopy-->

Note:

If you have multiple PVS servers, run the command to enable or disable AOT log uploads on each one.

Uploading AOT logs for License Server

  • The Logserver URL needs to be updated inside SLS config file, which can be find at the location “C:\Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\SimpleLicenseServiceConfig.xml” with XML tag “AotServerURL”

Example:

<AotServerURL>https://10.110.249.168:8443/ctxlogserver/UploadCitrixLogStream</AotServerURL>
<!--NeedCopy-->
  • The License Server periodically uploads the logs to AOT server automatically.

Configure AOT logs upload for NetScaler

  • SSH into NetScaler CLI and then go into the NetScaler shell by running “shell” command.

  • Go into /var/analytics_conf directory

    cd /var/analytics_conf
<!--NeedCopy-->
  • Generate the schema file by executing an interactive python script “python {Add script name}”. The schema file defines the HTTP headers (Auth-token, User-Agent etc) and Payload attributes (Role, Machine IP etc).

Snippet of the output generated by this script 

root@Raju-adc2# python schema_generator_for_syslog_final.py 
Schema Builder: Follow the prompts to define your schema. 
Include 'Auth-Token'? (Y/n):  
Enter the display name (alias) for 'Auth-Token' (press Enter to keep as is): Authkey 
'Auth-Token' can only go in 'header'. Automatically selected. 
Include 'HostName'? (Y/n): n 
Include 'Content-type'? (Y/n): y 
Enter the display name (alias) for 'Content-type' (press Enter to keep as is): 
'Content-type' can only go in 'header'. Automatically selected. 
Default value for 'Content-type' is 'application/json'.  
Do you want to change it? (y/N):  
Include 'User-agent'? (Y/n):  
Enter the display name (alias) for 'User-agent' (press Enter to keep as is): 
'User-agent' can only go in 'header'. Automatically selected. 
Default value for 'User-agent' is 'AUDITLOGS/1.0'.  
Do you want to change it? (y/N):  
Include 'Role'? (Y/n): y  
Enter the display name (alias) for 'Role' (press Enter to keep as is):  
Where should 'Role' be included? (HEADER/payload): HEADER  
Default value for 'Role' is 'GW'.  
Do you want to change it? (y/N): y  
Enter new default value for 'Role': Gateway  
<!--NeedCopy-->

Sample schema file generated 

{ 
     "Header": { 
         "Auth-Token": { 
             "name": "AuthKey" 
         }, 
         "Content-type": { 
             "name": "Content-type", 
             "value": "application/json" 
         }, 
         "User-agent": { 
             "name": "User-agent", 
             "value": "AUDITLOGS/1.0" 
         }, 
         "Role": { 
             "name": "Role", 
             "value": "Gateway" 
         }, 
         "MachineIP": { 
             "name": "MachineIP" 
         }, 
         "MachineName": { 
             "name": "MachineName" 
         } 
     }, 
     "Payload": { 
         "LogLevel": "Level", 
         "MessageContent": "Message", 
         "ModuleName": "Module", 
         "Time": "TimeStamp" 
     }, 
     "Format": { 
         "delimiter": "" 
     } 
 }
<!--NeedCopy-->
  • Exit the shell and come back to the NetScaler CLI
  • Create a syslog Action which defines the Syslog Server, Ports and the schema file (created in the previous step) etc
add audit syslogAction {Action Name} {AOT Server IP/FQDN} -serverPort {Destination Port} -logLevel {Log Level} -transport HTTP -httpAuthToken {Authentication Token generated on the AOT sever} -httpEndpointUrl {AOT Server URL where logs will be sent} -httpSchemaFile {Schema File created in Previous Step}
<!--NeedCopy-->

Example:

add audit syslogAction act1 10.102.154.196 -serverPort 8088 -logLevel ALL -transport HTTP -httpAuthToken fbb94d5b234d86a6cb155e3f808dd33c9698a0d1a866e814573b1909e4c9e56896f433da1071e3276bd133269fd69203d8f29166816f4d427e709773ceb9d41d531043331f7f76 -httpEndpointUrl "/services/collector/event" -httpSchemaFile sample.json
<!--NeedCopy-->
  • Bind the syslogAction to the Audit Syslog Policy
add audit syslogPolicy {PolicyName} True {Name of the Syslog Action}
<!--NeedCopy-->

Example:

add audit syslogPolicy pol1 true act1
<!--NeedCopy-->
Uploading the AOT logs from CVAD Core Components
December 11, 2025
Contributed by: 
C
December 11, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.