Product Documentation

SYSLOG Over TCP

Syslog is a standard for sending event notification messages. These messages can be stored locally or on an external log server. Syslog enables network administrators to consolidate log messages and derive insights from the collected data.

Syslog was originally designed to work over UDP, which can transmit a huge amount of data within the same network with minimal packet loss. However, telco operators prefer to transmit syslog data over TCP, because they need reliable, ordered data transmission between networks (for example, telco tracks user activities), and TCP provides retransmission in the event of network failure.

How Syslog over TCP works

To understand how syslog over TCP works, consider two hypothetical cases:

Sam, a network administrator, wants to log significant events on an external syslog server.

XYZ Telecom, an Internet service provider, has to transmit and store a significant amount of data on syslog servers to comply with government regulations.

In both cases, the log messages must be transmitted over a reliable channel and stored safely on an external syslog server. Unlike UDP, TCP establishes a connection, transmits messages securely, and retransmits (from sender to receiver) any data that is corrupted or lost because of network failure.

The Citrix ADC appliance sends log messages over UDP to the local syslog daemon, and sends log messages over TCP or UDP to external syslog servers.

SNIP support for Syslog

When the audit-log module generates syslog messages, it uses a Citrix ADC subnet IP (SNIP) address as the source address for sending the messages to an external syslog server. To configure a SNIP as the source address, you must make it part of the netProfile option and bind the netProfile to the syslog action.

Note

If a netProfile is not bound to a syslog action, the Citrix ADC IP (NSIP) is used as the source address for transmitting data to the external log server.

Use of a SNIP address is not supported in internal logging.

FQDN Support for audit Log

Previously, the audit-log module was configured with the destination IP address of the external syslog server to which the log messages are sent. Now, the audit-log server uses a Fully Qualified Domain Name (FQDN) instead of the destination IP address. The FQDN configuration resolves the configured domain name of the syslog server to the corresponding destination IP address for sending the log messages from the audit-log module. To resolve the domain name and avoid domain based service issues, the name server must be properly configured.

Note

When configuring a FQDN, server domain name configuration of the same Citrix ADC appliance in syslog action or nslog action is not supported.

Configuring Syslog over TCP by using Command Line Interface

To configure a Citrix ADC appliance to send syslog messages over TCP by using the command line interface

At the command prompt, type:

    add audit syslogAction <name> (<serverIP> | ((<serverDomainName>[-domainResolveRetry <integer>]) | -lbVserverName<string>))[-serverPort <port>] -logLevel <logLevel>[-dateFormat <dateFormat>] [-logFacility <logFacility>]   [-tcp ( NONE | ALL )] [-acl ( ENABLED | DISABLED )][-timeZone ( GMT_TIME | LOCAL_TIME )][-userDefinedAuditlog ( YES | NO )][-appflowExport ( ENABLED | DISABLED )] [-lsn ( ENABLED | DISABLED )][-alg ( ENABLED | DISABLED )] [-subscriberLog ( ENABLED | DISABLED )][-transport ( TCP | UDP )] [-tcpProfileName <string>][-maxLogDataSizeToHold <positive_integer>][-dns ( ENABLED | DISABLED )] [-netProfile <string>]

    add audit syslogaction audit-action1 10.102.1.1 -loglevel INFORMATIONAL -dateformat MMDDYYYY -transport TCP

Adding SNIP IP address to netprofile option by using the command line interface

To add a SNIP IP address to netprofile by using the command line interface

At the command prompt, type:

    add netProfile <name> [-td <positive_integer>] [-srcIP <string>][-srcippersistency ( ENABLED | DISABLED )][-overrideLsn ( ENABLED | DISABLED )]add syslogaction <name> <serverIP> –loglevel all –netprofile net1
    add netprofile net1 –srcip 10.102.147.204`

where, srcIP is the SNIP.

Adding netprofile in a syslog action by using the command line interface

To add a netProfile option in a syslog action by using the command line interface

At the command prompt, type:

     add audit syslogaction <name> (<serverIP> | -lbVserverName <string>)  -logLevel <logLevel>
    -netProfile <string> …

    add syslogaction sys_act1 10.102.147.36 –loglevel all –netprofile net1

Where -net Profile specifies the name of the configured net profile. The SNIP address is configured as part of the netProfile and this netProfile option is bound to the syslog action.

Note

You must always bind the netProfile option to the SYSLOGUDP or SYSLOGTCP services bound to the SYSLOGUDP or SYSLOGTCP load balancing virtual server when LB vserver name is configured in syslogaction.

Configuring FQDN support by using the command line interface

To add a server domain name to a Syslog action by using the command line interface

At the command prompt, type:

add audit syslogAction <name> (<serverIP> | ((<serverDomainName>[-domainResolveRetry <integer>]) | -lbVserverName <string>)) -logLevel <logLevel> ...
    set audit syslogAction <name> [-serverIP <ip_addr|ipv6_addr|*>]-serverDomainName <string>] [-lbVserverName <string>]-domainResolveRetry <integer>] [-domainResolveNow]

To add a server domain name to a Nslog action by using the command line interface.

At the command prompt, type:

    add audit nslogAction <name> (<serverIP> | (<serverDomainName>[-domainResolveRetry <integer>]))  -logLevel <logLevel> ...
    set audit nslogAction <name> [-serverIP <ip_addr|ipv6_addr|*>][-serverDomainName <string>] [-domainResolveRetry <integer>][-domainResolveNow]

Where serverDomainName. Domain name of the log server. This is mutually exclusive with serverIP/ lbVserverName.

DomainResolveRetry integer. Time (in seconds) that the Citrix ADC appliance waits, after a DNS resolution fails, before sending the next DNS query to resolve the domain name.

DomainResolveNow. Included if the DNS query has to be sent immediately to resolve the server’s domain name.

Configuring Syslog over TCP by using the GUI

 To configure the Citrix ADC appliance to send Syslog messages over TCP by using the GUI

  1. Navigate to System > Auditing > Syslog and select the Servers tab.
  2. Click Add and select Transport Type as TCP.

Configuring netprofile for SNIP support by using the GUI

To configure netprofile for SNIP support by using the GUI

  1. Navigate to System > Auditing > Syslog and select the Servers tab.
  2. Click Add and select a netprofile from the list.  

Configuring FQDN by using the GUI

To configure FQDN by using the GUI

  1. Navigate to System > Auditing > Syslog and select the Servers tab.
  2. Click Add and select a Server Type and Server Domain Name from the list.

SYSLOG Over TCP