Product Documentation

Configuring the NetScaler Appliance for Audit Logging

Jan 07, 2016

On the NetScaler appliance, you configure SYSLOG and/or NSLOG policies. Each policy includes a rule, which is an expression identifying the messages to be logged, and a SYSLOG or NSLOG (depending on the type of policy) action. The action specifies the server to which to send the log message, the level of the messages to be logged, and the data format of the logged messages. You can bind the policies globally or to individual virtual servers.

The appliance logs the following information related to TCP connections:

  • Source port
  • Destination port
  • Source IP
  • Destination IP
  • Number of bytes transmitted and received
  • Time period for which the connection is open
Note:
  • You can enable TCP logging on individual load balancing virtual servers. You must bind the audit log policy to a specific load balancing virtual server that you want to log.
  • When using the NetScaler as the audit log server, by default, the ns.log file is rotated (new file is created) when the file size reaches 100K and the last 25 copies of the ns.log are archived and compressed with gzip. To accommodate more archived files after 25 files, the oldest archive is deleted. You can modify the 100K limit or the 25 file limit by updating the following entry in the /etc/newsyslog.conf file:
    /var/log/ns.log  600  25  100  *  Z
    
    where, 25 is the number of archived files to be maintained and 100K is the size of the ns.log file after which the file will be archived.

Configuring SYSLOG and NSLOG Actions

Updated: 2015-06-03

You can configure audit server actions for different servers and for different log levels.

By default SYSLOG uses UDP, and NSLOG uses only TCP to transfer log information to the log servers. TCP is more reliable than UDP for transferring complete data. When using TCP for SYSLOG, you can set the buffer limit on the NetScaler appliance to store the logs. After the after which the logs are sent to the SYSLOG server.

To configure a SYSLOG server action by using the command line interface

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • add audit syslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat ( MMDDYYYY | DDMMYYYY )] [-transport ( TCP | UDP )]
  • show audit syslogAction [<name>]

Example

> add audit syslogaction audit-action1 10.102.1.1 -loglevel INFORMATIONAL -dateformat MMDDYYYY

To configure an NSLOG server action by using the command line interface

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • add audit nslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> [-dateFormat ( MMDDYYYY | DDMMYYYY )]
  • show audit nslogAction [<name>]

Example

> add audit nslogAction nslog-action1 10.102.1.3 -serverport 520 -loglevel INFORMATIONAL -dateFormat MMDDYYYY

To configure an auditing server action by using the configuration utility

Navigate to System > Auditing > Syslog or Nslog, click Servers tab and create the auditing server.

Specifying a domain name for a logging server

When configuring an auditlog action, you can specify the domain name of a syslog or nslog server instead of its IP address. Then, if the server's IP address changes, you don’t have to change it on the NetScaler appliance.

The domain name resolution is done through a DNS name server that resolves the host name of the syslog or nslog server to its IP address.

Specifying a domain name for a logging server consists of the following tasks:

Note: If you would like to use another Netscaler as the DNS server, configure the following in that Netscaler

  1. add service service1 10.102.146.48 adns 53
  2. add addrec bsdserver.com 10.102.146.4

Here service1 is the DNS service which is to be configured and this service will resolve the bsdserver.com to 10.102.146.4 when queried.

To configure the auditlog action to accept the domain name of a syslog server by using the command line

  • For a new syslog configuration, at the command prompt, type:

o   add audit syslogAction <name> (<serverIP> | ((<serverDomainName> [-domainResolveRetry <integer>]) | -lbVserverName <string>)) -logLevel <logLevel>

 

  • For an existing syslog configuration,  at the command prompt, type:

o   set audit syslogAction <name> [-serverIP <ip_addr|ipv6_addr|*>] [-serverDomainName <string>] [-lbVserverName <string>] [-domainResolveRetry <integer>] [-domainResolveNow]

To configure the auditlog action to accept the domain name of an nslog server by using the command line

  • For a new nslog configuration, at the command prompt, type:

o   add audit nslogAction <name> (<serverIP> | (<serverDomainName> [-domainResolveRetry <integer>]))  -logLevel <logLevel> ...

  • For an existing nslog configuration,  at the command prompt, type:

o   set audit nslogAction <name> [-serverIP <ip_addr|ipv6_addr|*>] [-serverDomainName <string>] [-domainResolveRetry <integer>] [-domainResolveNow]

Parameter Description

serverDomainName

Instead of an IP address, you can specify a host name that has been assigned to an logging server. If you do so, you must add a DNS name server that resolves the host name of the logging server to its IP address.

domainResolveRetry

Amount of time, in seconds, for which the NetScaler appliance waits before sending another DNS query to resolve the host name of the logging server if the last query failed. This parameter is valid for host-name based logging servers only.

Minimum value: 5  

Maximum value: 20939

Sample Configuration

Syslog:

In the following sample configuration, syslog action (SYS-ACTION-1) and syslog policy (SYSLOG-POLICY-1) are configured. SYS-ACTION-1 specifies the domain name (EXAMPLE.DOMAIN.NAME.SYSLOG) of a syslog server having IP address, 192.0.2.10.

The NetScaler sends DNS queries to the DNS server having IP address 192.0.2.20  to resolve the domain name (EXAMPLE.DOMAIN.NAME.SYSLOG) of the syslog server to its ip address (192.0.2.10)

> add audit syslogAction SYS-ACTION-1 EXAMPLE.DOMAIN.NAME.SYSLOG – domainResolveRetry 500
Done  

> add audit syslogPolicy SYSLOG-POLICY-1 ns_true SYS-ACTION-1 

Done 

>bind system global SYSLOG-POLICY-1 

Done 

>add nameserver 192.0.2.20

Done

Nslog:

In the following sample configuration, nslog action (NSLOG-ACTION-1) and nslog policy (NSLOG-POLICY-1) are configured. NSLOG-ACTION-1 specifies the domain name (EXAMPLE.DOMAIN.NAME.NSLOG) of a nslog server having IP address, 192.0.2.10.The NetScaler sends DNS queries to the DNS server having IP address 192.0.2.20 to resolve the domain name of the nslog server.

 

>add audit nslogAction NSLOG-ACTION-1  EXAMPLE.DOMAIN.NAME.NSLOG – domainResolveRetry 500 

Done 

> add audit nslogPolicy NSLOG-POLICY-1 ns_true NSLOG-ACTION-1 

Done 

> bind system global NSLOG-POLICY-1 

Done 

>add nameserver 192.0.2.20

Done

 

Configuring Audit Policies

Updated: 2015-04-29

Configure SYSLOG policies to log messages to a SYSLOG server, and/or NSLOG policy to log messages to an NSLOG server. Each policy includes a rule identifying the messages to be logged, and a SYSLOG or NS LOG (depending on the type of policy) action.

To configure a SYSLOG policy by using the command line interface

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • add audit syslogPolicy <name> <rule> <action>
  • show audit syslogPolicy [<name>]

Example

> add audit syslogpolicy syslog-pol1 ns_true audit-action1

To configure an NSLOG policy by using the command line interface

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • add audit nslogPolicy <name> <rule> <action>
  • show audit nslogPolicy [<name>]

Example

> add audit nslogPolicy nslog-pol1 ns_true nslog-action1

To configure an audit server policy by using the configuration utility

Navigate to System > Auditing > Syslog or Nslog, click Policies tab and create the auditing policy.

Binding the Audit Policies Globally

Updated: 2015-06-02

You must globally bind the audit log policies to their respective global entities (SYSTEM, RNAT, VPN) to enable logging of all NetScaler system events. By defining the priority level, you can set the evaluation order of the audit server logging. Priority 0 is the highest and is evaluated first. The higher the priority number, the lower is the priority of evaluation.

To configure a SYSLOG policy by using the command line interface

At the command prompt, type:

  • bind system global [<policyName> [-priority <positive_integer>]]
  • show system global

Example

> bind system global nslog-pol1 -priority 20

To globally bind the audit policy by using the configuration utility

  1. Navigate to System > Auditing > Syslog or Nslog.
  2. On Policies tab, click Action, and select Global Bindings to bind the audit global policies.

Configuring Policy-Based Logging

Updated: 2015-06-26

The audit logging feature dynamically captures audit logs in a user-defined format for rewrite and responder policies. The audit server (SYSLOG or NSLOG) collects and stores the logs in chronological order on the NetScaler appliance. Many enterprises use these logs to tune feature behavior and troubleshoot problems.

The NetScaler audit logging feature provides detailed control of the information to be logged and specifies the location where the log messages are stored. Each log message can have one of the severity levels described in the following table.

Log Level Indicates
EMERGENCY Critical problem that might make the system unusable.
ALERT Noncritical problem that might cause the NetScaler appliance to function incorrectly. You must take immediate corrective action to prevent the appliance from experiencing a critical problem.
CRITICAL Critical condition that does not restrict operation but might escalate to a larger problem.
ERROR Failure of a NetScaler operation.
WARNING Issue that might result in critical errors.
NOTICE Same as INFORMATION, but in greater detail.
INFORMATION Any action taken by the NetScaler appliance. This level of logging can help troubleshoot problems on the Citrix NetScaler product line.
DEBUG Extensive, detailed information. Developers use this level of logging to troubleshoot problems.

Configuring Audit Logging for Rewrite and Responder Policies

To process logs for rewrite and responder policies, do the following:

  1. Create a SYSLOG action and associate the action with SYSLOG policy. A SYSLOG action specifies the configuration of SYSLOG server. You can define the server IP, port and the kind of logs to be sent to the SYSLOG server.
  2. Create SYSLOG policy. The SYSLOG policy includes a rule, which is an expression identifying the messages to be logged, depending on the type of policy action.
  3. Bind the policy to system global. By binding to system global, the logs generated at the system level will be sent to the respective syslog servers as defined in their syslog action.
  4. Add an audit message action. The audit message action specifies the log format, the level of the messages to be logged, and the data format of the logged messages.
  5. Create a rewrite or responder policy and associate the audit message action.
  6. Bind the rewrite or responder policy globally or to a load balancing or content switching virtual server so that the policy applies to all the HTTP traffic specific to that virtual server.

To configure policy based logging by using the command line interface

At the command prompt, do the following:
  1. Create a syslog action.

    add audit syslogAction <name> <serverIP> -logLevel <logLevel> [-userDefinedAuditlog ( YES | NO )]

    Example:

    add audit syslogAction LogServerAction 10.102.115.34 -logLevel ALL -userDefinedAuditlog YES

    Note: The parameter “-userDefinedAuditlog” should be set to “YES” to capture audit logs in a user-defined format.
  2. Add a syslog policy

    add audit syslogPolicy <name> <rule> <action>

    Example:

    add audit syslogPolicy customlog-log-pol ns_true syslogAction

  3. Bind the syslog policy to system global.

    bind system global <policy name> [-priority <positive_integer>]

    Example:

    bind system global customlog-log-pol -priority 100

After configuring the SYSLOG settings, do the following to generate the user-defined logs:
  1. Add an audit message action
    Note: Currently, NetScaler appliance generates logs for packets belonging to a specific virtual server.

    add audit messageaction <name> <logLevel> <stringBuilderExpr> [-logtoNewnslog ( YES | NO )] [-bypassSafetyCheck ( YES | NO )]

    Example:

    add audit messageaction audit_log_action <LogLevel> "\"alertType=NetScaler Log - clientIP=\" + CLIENT.IP.SRC" -logtoNewnslog [YES|NO] -bypassSafetyCheck YES

    Where

    <logLevel> = ( EMERGENCY | ALERT | CRITICAL | ERROR | WARNING | NOTICE | INFORMATIONAL | DEBUG )

  2. Add a rewrite or responder policy

    add rewrite policy <name> <rule> <action> [-logAction <string>]

    add responder policy <name> <rule> <action> [-logAction <string>]

    Example:

    add rewrite policy log-rewr-pol true NOREWRITE -logAction audit_log_action

    add responder policy log-resp-pol true NOOP -logAction audit_log_action

    Note: By default, the policy action is set as "NO ACTION" so that no action is performed to the packet but to generate log for the packet.

    Use "logAction" policy parameter to link the audit message action to the policy.

  3. Bind the responder or rewrite policy to a virtual server

    bind lb vserver <name> (-policyName <string>@ [-priority <positive_integer>] [-gotoPriorityExpression <expression>] [-type ( REQUEST | RESPONSE )]

    Example:

    bind lb vserver <VSERVER NAME> -policyName log-rewr-pol -priority 5 -gotoPriorityExpression END -type REQUEST

Configuring policy based logging using the configuration utility

  1. Add a syslog action

    Navigate to System>Auditing>Syslog, click Serverstab and create the auditing server.

  2. Add a syslog policy

    Navigate to System>Auditing>Syslog, click Policiestab and create the auditing server.

  3. Bind the syslog policy to system global
    1. Navigate to System > Auditing > Syslog.
    2. On Policies tab, click Action, and select Global Bindings to bind the audit global policies.
After configuring the SYSLOG configurations, do the following to generate the user-defined logs:
  1. Add an audit message action

    Navigate to System>Auditing>Message Actions, and create the audit message action.

  2. Add a rewrite or responder policy

    For rewrite policy.Navigate to AppExpert > Rewrite > Policies, and create a rewrite or a responder policy.

    For responder policy. Navigate to AppExpert > Responder > Policies, and create a rewrite or a responder policy.

    Note: When creating the policy, specify the audit message action in the Log Action field.
  3. Bind the responder or rewrite policy to a virtual server
    1. For load balancing. Navigate to Traffic Management > Load Balancing > Virtual Servers, select the required virtual server and click Policies to bind the relevant policy.
    2. For content switching. Navigate to Traffic Management > Content Switching > Virtual Servers, select the required virtual server and click Policies to bind the relevant policy.