Accenture MDR Quick Start Guide for Citrix® NetScaler Logging Configuration

Owned by KS
Last updated: Feb 21, 2024
5 min read

This quick start guide will help Accenture MDR customers configure Citrix® NetScaler to send logs to the Log Collection Platform (LCP).

 

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

 

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Citrix NetScaler 

LCP

514 (UDP) or

601 (TCP)

Default port

 

Configuring Citrix NetScaler VPX

To configure the Citrix NetScaler VPX to send logs to the LCP, follow the steps below.

  1. Verify if the hostname is configured.

  • Login to the NetScaler Web interface as an Administrator.

  • Navigate to Configuration > Settings.

  • Click on Host Name, DNS IP Address and Time Zone.

  • In the Host Name text box, verify if the host name is present.

a) If the host name is configured already, no action is required.

b) If the text box is empty, type a host name without space.

c) In the DNS IP Address text box, verify if the local DNS IP address is added.

d) In the Time Zone text box, type your time zone.

2. Configure the Syslog server action.

  • Login to the NetScaler Web interface as an Administrator.

  • Go to Configuration > System > Auditing > Syslog > Servers.

3. Do the following steps to Create Auditing Server window. 

  • Enter the Syslog details like Name, Server Type, IP address of the LCP and Port.

  • Select Log Levels as Custom.

  • Enable all checkboxes except DEBUG level in the configuration.

  • Select LOCAL0 from Log Facility drop-down.

  • Select MMDDYYYY from Date Format drop-down.

  • Select Time Zone as GMT.

  • Uncheck all the check boxes as per below screenshot.

  • Click OK to create the auditing server.

4. Binding the created audit policy to the server.

  • Go to Configuration > System > Auditing > Syslog and click the Policies tab.

  • In the Name* text box, type a name for the policy.

  • In the Server* drop-down list, select the policy from the previous section and click Create.

5. Right-click the created Auditing Policy and go to Action > Global Bindings and click Add Binding

6. In the Policy Binding window,

  • In the Select Policy* text box, type the created audit policy.

  • In the Binding Details section, in the Priority* text box type 120 as it is the default priority and click Bind.

 Note: Priority is a numeric value that indicates when this policy is evaluated relative to other policies. Access Gateway gives precedence to a policy with lower priority.

Configuring Citrix NetScaler SDX

To configure the Citrix NetScaler SDX to send logs to the LCP, follow the steps below.

  1. Verify if the hostname is configured.

    1. Login to the NetScaler Web interface as an Administrator.

    2. Navigate to System > System Settings

    3. In the Host Name text box, verify if the host name is present.

      1. If the host name is configured already, no action is required.

      2. If the text box is empty, type a host name without space.

iii. In the Time Zone text box, select UTC/GMT.

  1. Configure a syslog server.

    1. Navigate to System > Notifications > Syslog Servers.

    2. In the details pane, click Add.

    3. In the Create Syslog Server page, specify values for the syslog server parameters. Enter a Name, then LCP IP address, port number, Choose Log Level as ‘Custom' and select all log levels except Debug and then click 'Create’.

  1. Configure the syslog parameters(date and time format).

    1. Navigate to System > Notifications > Syslog Servers.

    2. In the details pane, click Syslog Parameters.

    3. In the Configure Syslog Parameters page, select the date format ‘MMDDYYYY’ and select time format ‘GMT’. Click 'OK'.

LCP Configuration Parameters

Table 1-2: The Citrix NetScaler event collector (Syslog -3679) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

UDP

The  default protocol for syslog. The collector can also accept logs in TCP.

 

Port

514

The default port for UDP. For TCP, the default port is 601.

 

IP Address

Citrix NetScaler IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Signatures

AAA EXTRACTED_GROUPS,AAA LOGIN_FAILED,AAA Message,AAATM HTTP_RESOURCEACCESS_DENIED,AAATM LOGIN,AAATM LOGOUT,AAATM Message,ACL ACL_PKT_LOG,ACL ACL6_PKT_LOG,ALG ALG_,API CMD_EXECUTED,APPFW AF_400_RESP,APPFW AF_MALFORMED_REQ_ERR,APPFW AF_,APPFW APPFW_BUFFEROVERFLOW_COOKIE,APPFW APPFW_BUFFEROVERFLOW_HDR,APPFW APPFW_BUFFEROVERFLOW_URL,APPFW APPFW_COOKIE,APPFW APPFW_CSRF_TAG,APPFW APPFW_DENYURL,APPFW APPFW_FIELDCONSISTENCY,APPFW APPFW_FIELDFORMAT,APPFW APPFW_POLICY_HIT,APPFW APPFW_POLICY_HIT_BUILTIN,APPFW APPFW_REFERER_HEADER,APPFW APPFW_SAFECOMMERCE,APPFW APPFW_SAFEOBJECT,APPFW APPFW_SIGNATURE_MATCH,APPFW APPFW_SQL,APPFW APPFW_STARTURL,APPFW APPFW_XML_DOS_ERR_MAX_NAMESPACES,APPFW APPFW_XML_ERR_NOT_WELLFORMED,APPFW APPFW_XML_SQL,APPFW APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT,APPFW APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE,APPFW APPFW_XML_XSS,APPFW APPFW_XSS,APPFW APPFW_,APPFW Message,APPFW_RESP AF_,APPFW_RESP APPFW_XML_ERR_NOT_WELLFORMED,APPFW_RESP APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT,APPFW_RESP APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE,APPFW_RESP APPFW_,BOT BOT_,CI ICAP_LOG,CI ICAPC_LOG,CI INLINE_INSPECTION_LOG,CI TRAFFIC_MIRROR_LOG,CLI CMD_EXECUTED,CONSOLE CMD_EXECUTED,DNS DNS_,EVENT ALERTENDED,EVENT ALERTSTARTED,EVENT BACKUPMEP6DOWN,EVENT BACKUPMEP6UP,EVENT BACKUPMEPDOWN,EVENT BACKUPMEPUP,EVENT CACHESTARTFLUSH,EVENT CACHESTOPFLUSH,EVENT CONFIGEND,EVENT CONFIGSTART,EVENT DEVICEDOWN,EVENT DEVICEOFS,EVENT DEVICEUP,EVENT DHCPCAQUIRE,EVENT DHCPCDEPENDPBR,EVENT DHCPCRELEASE,EVENT DHCPSVRERR,EVENT FREEBADMEM,EVENT FREEDUPMEM,EVENT FREEEXTMEM,EVENT MEPDOWN,EVENT MEPUP,EVENT MONITORDOWN,EVENT MONITORTH,EVENT MONITORUP,EVENT NICHANG,EVENT NICLACPSC,EVENT NICLOW_THROUGHPUT,EVENT NICMIGRATE,EVENT NICNORMAL_THROUGHPUT,EVENT NICPOWEROFF,EVENT NICPOWERON,EVENT NICRESET,EVENT NICSTART,EVENT NICSTOP,EVENT NWMEPDOWN,EVENT NWMEPUP,EVENT PROPFAIL,EVENT PROPSUCCESS,EVENT ROUTE6DOWN,EVENT ROUTE6UP,EVENT ROUTEDOWN,EVENT ROUTEUP,EVENT STARTCPU,EVENT STARTSAVECONFIG,EVENT STARTSYS,EVENT STOPSAVECONFIG,EVENT STOPSYS,EVENT VIPRHIDOWN,EVENT VIPRHIUP,EVENT VRID6DOWN,EVENT VRIDDOWN,EVENT VRIDINIT,EVENT VRIDUP,GUI CMD_EXECUTED,ICA Message,LSN PPTP_LOG,LSN LSN_,NSIP6 IPV6_DUPLICATED,PITBOSS PB_,PITBOSS PITBOSS,ROUTING ROUTE_,ROUTING ZEBOS_,SNMP TRAP_,SNMP TRAP_SENT,SSLI BYPASS_LOG,SSLI DROPPED_LOG,SSLI INTERCEPT_LOG,SSLLOG SSL_,SSLVPN CLISEC_CHECK,SSLVPN CLISEC_EXP_EVAL,SSLVPN HTTP_RESOURCEACCESS_DENIED,SSLVPN HTTPREQUEST,SSLVPN ICAEND_CONNSTAT,SSLVPN ICASTART,SSLVPN LICLMT_REACHED,SSLVPN LOGIN,SSLVPN LOGOUT,SSLVPN Message,SSLVPN NONHTTP_RESOURCEACCESS_DENIED,SSLVPN STA_VALIDATE_RESP,SSLVPN TCPCONN_TIMEDOUT,SSLVPN TCPCONNSTAT,SSLVPN UDPFLOWSTAT,SUBSCRIBER SESSION_,TCP CONN_,TCP NAT_,TCP OTHERCONN_,TRANSFORM PCRE_ERROR,TRANSFORM REQ_,UI CMD_EXECUTED,URLFILT URLFILT_LOG

MDR recommended signatures processed by the Citrix NetScaler event collector.

 

 

 

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.