Product Documentation

Audit Log Support for Admin Partitions

Apr 21, 2017

On a partitioned NetScaler appliance, for enhanced data security, you can configure audit logging in an administrative partition by using advanced policies. For example, you might want to view logs (states and status information) of a specific partition that has multiple users accessing different sets of features on the basis of their levels of authorization in the partition.  

Points to Remember

  1. The audit logs generated from the partition will be stored as a single log file (/var/log/ns.log).
  2. You must configure the audit log server’s (syslog or nslog) subnet address as the source IP address in the partition for sending the audit-log messages.
  3. The default partition uses the NetScaler IP(NSIP) as the source IP address for the audit log messages by default.
  4. You can display the audit-log message by using the “show audit messages” command. 

For information on audit-log configuration, see http://docs.citrix.com/en-us/netscaler/11-1/system/audit-logging/configuring-audit-logging.html

Configuring Audit Logging in Partitioned NetScaler Appliance

Complete the following tasks to configure audit logging in an administrative partition.    

  1. Configure partition subnet IP address. An IPv4 SNIP address of an administrative partition.
  2. Configure audit-log (syslog and nslog) action. An Audit action is a collection of information that specifies the messages to be logged and how to log the messages on the external log server.
  3. Configure audit-log (syslog and nslog) policies. Audit-log policies define log messages for the source partition to the syslog or nslog server. 
  4. Bind audit-log policy to sysGlobal and nsGlobal entity. You must bind an audit-log policy to a system global entity.
  5. Review audit-log statistics. Display the audit-log statistics and evaluate the configuration.

To configure the partition's subnet IP address by using the command line interface

At the command prompt, type:

command Copy

add ns ip <ip address> <subnet mask>

To configure a syslog action by using the command line interface

At the command prompt, type:

command Copy

add audit syslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat (MMDDYYYY | DDMMYYYY )] [-transport ( TCP | UDP )]

To configure an nslog action by using the command line interface

At the command prompt, type:

command Copy

add audit nslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat (MMDDYYYY | DDMMYYYY )]

To configure syslog audit-log policies by using the command line interface

At the command prompt, type:

command Copy

add audit syslogpolicy syslog-pol1 true audit-action1

To configure nslog audit-log policies by using the command line interface.

At the command prompt, type:

command Copy

add audit nslogpolicy nslog-pol1 true audit-action1

To bind audit-log policy to syslogGlobal entity by using the command line interface.

command Copy

bind audit syslogglobal -policyName <name> -priority <priority_integer> -globalBindType SYSTEM_GLOBAL

To bind audit-log policy to nslogGlobal entity by using the command line interface.

At the command prompt, type:

command Copy

bind audit nslogglobal -policyName <name> -priority <priority_integer> -globalBindType SYSTEM_GLOBAL

To display audit-log statistics by using the command line interface.

At the command prompt, type:

command Copy

stat audit -detail

Example

command Copy

add ns ip 10.102.1.1 255.255.255.0

add audit syslogAction syslog_action1 10.102.1.2 –logLevel INFORMATIONAL –dateFormat MMDDYYYY –transport UDP

add audit syslogpolicy syslog-pol1 true syslog_action1

bind audit syslogglobal –policyName syslog-pol1 –priority 1 –globalBindType SYSTEM_GLOBAL

Configuring audit-log by using the NetScaler GUI

Storing Logs

When SYSLOG or NSLOG server collects log information from all partitions, it is stored as log messages in ns.log file. The log messages contain the following information:

  • Partition Name.
  • The IP address.
  • A time stamp.
  • The message type
  • The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
  • The message information.