By Lal Mohan

, , , , , ,

Configuring NetScaler for audit logging

In today’s security-conscious environment, maintaining comprehensive audit logs and integrating them with Security Information and Event Management (SIEM) systems is crucial. Citrix NetScaler (formerly known as Citrix ADC) provides robust syslog capabilities that can be leveraged to enhance your organization’s security posture and compliance efforts.

Understanding NetScaler’s Audit Logging Capabilities

NetScaler generates various types of logs that can be valuable for security monitoring:

  • System events
  • Authentication attempts
  • Configuration changes
  • Load balancing decisions
  • SSL transactions
  • Application Firewall events

Configuring Syslog Servers in NetScaler

Prerequisites

  • A running syslog server (such as kiwi syslog, rsyslog, syslog-ng or any other SIEM product)
  • Network connectivity between NetScaler and syslog server. Please note that if you are going to use an FQDN for the server name, you must enable ICMP (ping)
  • Required ports open (typically UDP 514 or TCP 514)

Basic Syslog Configuration

Via Command Line Interface (CLI):

add audit syslogAction SIEM-Logger-01 IP -serverPort 514 -logLevel INFO -dateFormat MMDDYYYY
add audit syslogPolicy SIEM-Policy-01 true SIEM-Logger-01
bind system global SIEM-Policy-01 -priority 100

Via NetScaler GUI:

Navigate to System > Auditing > Syslog > Servers Click “Add” and Configure the following parameters:

  • Name: SIEM-Logger-01
  • Server: IP
  • Port: 514
  • Log Level: INFO (add others if you need to)
  • Date Format: MMDDYYYY
  • Time Zone: Local
create syslog server on netscaler

You can either choose to send all the logs or select the ones that you want to be send. I have shown both examples below. Also check the table below to get an idea of what gets logged when you choose these log levels.

create syslog server on netscaler
create syslog server on netscaler

By default, syslog messages are sent over UDP 514. You can choose to change it by selecting TCP under Transport type as shown below

create syslog server on netscaler

click Create to create the syslog action.

Now, let’s create the syslog policy. For that click on the Policies tab under Syslog Auditing

Click Add

Give the policy a Name and ensure Advanced Policy is selected. From the Server field, select the entity that we created in the earlier step – SIEM-Logger-01 and click Create

syslog policy for netscaler

Last step to complete the config is to bind the policy globally.

Click Select Action drop down and select Advanced Policy Global Bindings

syslog auditing - advanced policy global bindings

Click Add binding

Click to select the policy and the global bind type set to System_Global

Log Levels

logLevelExplanation
ALLAll events
EMERGENCYEvents that indicate an immediate crisis on the server.
ALERTEvents that might require action.
CRITICALEvents that indicate an imminent server crisis.
EEROREvents that indicate some type of error.
WARNINGEvents that require action in the near future.
NOTICEEvents that the administrator should know about.
INFORMATIONALAll but low-level events.
DEBUGAll events, in extreme detail.
NONENo events.

What’s the Syslog source IP on the NetScaler?

It’s the NSIP (Mgmt IP) so you will need to advise your SIEM person to add the NSIP of the NetScaler as the source. You can change this to Subnet IP or any other IP for that matter by using a Net Profile

References

audit-syslogAction

https://developer-docs.netscaler.com/en-us/adc-command-reference-int/current-release/audit/audit-syslogAction.html

Remember to regularly review and update your logging configuration as your environment evolves and new security requirements emerge.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.