Citrix NetScaler
To integrate Citrix NetScaler events with JSA, you must configure Citrix NetScaler to forward syslog events.
Using SSH, log in to your Citrix NetScaler device as a root user.
-
Type the following command to add a remote syslog server:
add audit syslogAction <ActionName> <IP Address> -serverPort 514 -logLevelInfo -dateFormat DDMMYYYY
Where:
<ActionName> is a descriptive name for the syslog server action.
<IP Address> is the IP address or host name of your JSA console.
Example:
add audit syslogAction action-QRadar 192.0.2.1 -serverPort 514 -logLevel Info -dateFormat DDMMYYYY
Type the following command to add an audit policy:
add audit syslogPolicy <PolicyName> <Rule> <ActionName>
Where:
<PolicyName> is a descriptive name for the syslog policy.
<Rule> is the rule or expression the policy uses. The only supported value is
ns_true
.<ActionName> is a descriptive name for the syslog server action.
add audit syslogPolicy policy-QRadar ns_true action-QRadar
Type the following command to bind the policy globally:
bind system global <PolicyName> -priority <Integer>
Where:
<PolicyName> is a descriptive name for the syslog policy.
<Integer> is a number value that is used to rank message priority for multiple policies that are communicating by using syslog.
bind system global policy-QRadar -priority 30
When multiple policies have priority (represented by a number value that is assigned to them) the lower number value is evaluated before the higher number value.
Type the following command to save the Citrix NetScaler configuration.
save config
Type the following command to verify that the policy is saved in your configuration:
sh system global
Note:For information on configuring syslog by using the Citrix NetScaler user interface, see http://support.citrix.com/article/CTX121728 or your vendor documentation.
The configuration is complete. The log source is added to JSA as Citrix NetScaler events are automatically discovered. Events that are forwarded by Citrix NetScaler are displayed on the Log Activity tab of JSA.
Syslog Log Source Parameters for Citrix NetScaler
If JSA does not automatically detect the log source, add a Citrix NetScaler log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Citrix NetScaler:
Parameter |
Value |
---|---|
Log Source type |
Citrix NetScaler |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source. The identifier helps you determine which events came from your Citrix NetScaler devices. |
Citrix NetScaler Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Citrix NetScaler Sample Message When You Use the Syslog Protocol
The following sample event message shows a successful SSL handshake.
<135> 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "RC4-MD5 TLSv1.2 Non-Export 128-bit" - Session Reuse
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
SSL_HANDSHAKE_SUCCESS |
Source IP |
172.25.184.157 |
Source Port |
19849 |
Destination IP |
10.254.14.94 |
Destination Port |
443 |
Device Time |
12/04/2017:17:21:00 GMT |