Product Documentation

Audit log support for admin partitions

On a partitioned Citrix ADC appliance, for enhanced data security, you can configure audit logging in an administrative partition by using advanced policies. For example, you might want to view logs (states and status information) of a specific partition that has multiple users accessing different sets of features on the basis of their levels of authorization in the partition.  

Points to remember

  1. The audit logs generated from the partition will be stored as a single log file (/var/log/ns.log).
  2. You must configure the audit log server’s (syslog or nslog) subnet address as the source IP address in the partition for sending the audit-log messages.
  3. The default partition uses the NSIP as the source IP address for the audit log messages by default.
  4. You can display the audit-log message by using the “show audit messages” command.

For information on audit-log configuration, see Configuring the NetScaler Appliance for Audit Logging.

Configuring audit logging in partitioned Citrix ADC appliance

Complete the following tasks to configure audit logging in an administrative partition.

  1. Configure partition subnet IP address. An IPv4 SNIP address of an administrative partition.
  2. Configure audit-log (syslog and nslog) action. An Audit action is a collection of information that specifies the messages to be logged and how to log the messages on the external log server.
  3. Configure audit-log (syslog and nslog) policies. Audit-log policies define log messages for the source partition to the syslog or nslog server.
  4. Bind audit-log policy to sysGlobal and nsGlobal entity. You must bind an audit-log policy to a system global entity.
  5. Review audit-log statistics. Display the audit-log statistics and evaluate the configuration.

To configure the partition’s subnet IP address by using the command line interface

At the command prompt, type:

add ns ip <ip address> <subnet mask>

To configure a syslog action by using the command line interface

At the command prompt, type:

add audit syslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat (MMDDYYYY | DDMMYYYY )] [-transport ( TCP | UDP )]

To configure an nslog action by using the command line interface

At the command prompt, type:

add audit nslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat (MMDDYYYY | DDMMYYYY )]

To configure syslog audit-log policies by using the command line interface

At the command prompt, type:

add audit syslogpolicy syslog-pol1 true audit-action1

To configure nslog audit-log policies by using the command line interface.

At the command prompt, type:

add audit nslogpolicy nslog-pol1 true audit-action1

To bind audit-log policy to syslogGlobal entity by using the command line interface.

bind audit syslogglobal -policyName <name> -priority <priority_integer> -globalBindType SYSTEM_GLOBAL

To bind audit-log policy to nslogGlobal entity by using the command line interface.

At the command prompt, type:

bind audit nslogglobal -policyName <name> -priority <priority_integer> -globalBindType SYSTEM_GLOBAL

To display audit-log statistics by using the command line interface.

At the command prompt, type:

stat audit -detail

Example

add ns ip 10.102.1.1 255.255.255.0
add audit syslogAction syslog_action1 10.102.1.2 –logLevel INFORMATIONAL –dateFormat MMDDYYYY –transport UDP
add audit syslogpolicy syslog-pol1 true syslog_action1
bind audit syslogglobal –policyName syslog-pol1 –priority 1 –globalBindType SYSTEM_GLOBAL

Configuring audit-log by using the Citrix ADC GUI

Storing logs

When SYSLOG or NSLOG server collects log information from all partitions, it is stored as log messages in ns.log file. The log messages contain the following information:

  • Partition Name.
  • The IP address.
  • A time stamp.
  • The message type
  • The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
  • The message information.