Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This quick start guide will help Accenture MDR customers configure Citrix® NetScaler to send logs to the Log Collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Citrix NetScaler 

LCP

514 (UDP) or

601 (TCP)

Default port

 

Configuring Citrix NetScaler

To configure the Citrix NetScaler to send logs to the LCP, follow the steps below.

  1. Verify if the hostname is configured.

  • Login to the NetScaler Web interface as an Administrator.

  • Go to the Configuration tab and click the Settings icon at the top-right corner.

  • Click Host Name, DNS IP Address, and Time Zone and type the following.

  • In the Host Name text box, verify if the host name is present.

a) If the host name is configured already, no action is required.

b) If the text box is empty, type a host name without space.

c) In the DNS IP Address text box, verify if the local DNS IP address is added.

d) In the Time Zone text box, type your time zone.

2. Configure the Syslog server action.

  • Login to the NetScaler Web interface as an Administrator.

  • Go to Configuration > System > Auditing > Syslog > Servers.

3. Click Add and do the following in the Create Auditing Server window. 

  • In the Name* text box, type a name for the LCP.

  • In the IP Address* text box, type the IP address of the LCP. 

  • In the Port text box, type 514

  • In the Log levels section, click CUSTOM and check the ALL check box except Debug.

  • From the Log Facility* drop-down list, select LOCAL 0.

  • From the Date Format* drop-down list, select MMDDYY

Note: MDR Citrix NetScaler Supported date format is MMDDYY

  • In the Time Zone section, click GMT.

  • Uncheck the Logging check boxes and then click Create.

4. Binding the created audit policy to the server.

  • Go to Configuration > System > Auditing > Syslog and click the Policies tab.

  • In the Name* text box, type a name for the policy.

  • In the Server* drop-down list, select the policy from the previous section and click Create.

5. Right-click the created Auditing Policy and go to Action > Global Bindings and click Add Binding

6. In the Policy Binding window,

  • In the Select Policy* text box, type the created audit policy.

  • In the Binding Details section, in the Priority* text box type 120 as it is the default priority and click Bind.

 Note: Priority is a numeric value that indicates when this policy is evaluated relative to other policies. Access Gateway gives precedence to a policy with lower priority.

LCP Configuration Parameters

Table 1-2: The Citrix NetScaler event collector (Syslog -3679) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

UDP

The  default protocol for syslog. The collector can also accept logs in TCP.

Port

514

The default port for UDP. For TCP, the default port is 601.

IP Address

Citrix NetScaler IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Signatures

AAA LOGIN_FAILED, AAA EXTRACTED_GROUPS, UI CMD_EXECUTED, SSLVPN LOGIN, SSLVPN LOGOUT

SSLVPN ICASTART, SSLVPN ICAEND_CONNSTAT, SSLVPN TCPCONNSTAT, SSLVPN TCPCONN_TIMEDOUT

SSLVPN UDPFLOWSTAT, SSLVPN HTTPREQUEST, SSLVPN NONHTTP_RESOURCEACCESS_DENIED

SSLVPN HTTP_RESOURCEACCESS_DENIED, SSLVPN CLISEC_CHECK, SSLVPN CLISEC_EXP_EVALEVENT DEVICEUP

EVENT DEVICEDOWN, SNMP TRAP_SENT, EVENT MONITORUP, EVENT MONITORDOWN, APPFW APPFW_STARTURL, APPFW APPFW_DENYURL

APPFW APPFW_COOKIE, APPFW APPFW_BUFFEROVERFLOW_COOKIE, APPFW APPFW_BUFFEROVERFLOW_URL

APPFW APPFW_BUFFEROVERFLOW_HDR, APPFW APPFW_SAFECOMMERCE, APPFW APPFW_SAFEOBJECT, APPFW APPFW_FIELDCONSISTENCY

APPFW APPFW_FIELDFORMAT, APPFW APPFW_CSRF_TAG, APPFW APPFW_XSS, APPFW APPFW_SQL

APPFW APPFW_XML_ERR_NOT_WELLFORMED, APPFW APPFW_XML_DOS_ERR_MAX_NAMESPACES, APPFW APPFW_XML_XSS

APPFW APPFW_XML_SQL, APPFW AF_400_RESP, APPFW APPFW_POLICY_HIT, APPFW APPFW_POLICY_HIT_BUILTIN, APPFW APPFW_SIGNATURE_MATCH

APPFW APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT APPFW APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE

APPFW_RESP APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT

APPFW_RESP APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE

APPFW APPFW_FIELDFORMAT, APPFW APPFW_REFERER_HEADER, APPFW AF_MALFORMED_REQ_ERR

APPFW_RESP APPFW_XML_ERR_NOT_WELLFORMED, GUI CMD_EXECUTED, CLI CMD_EXECUTED, EVENT

STARTSAVECONFIG, EVENT STOPSAVECONFIG

MDR recommended signatures processed by the Citrix NetScaler event collector.

 

  • No labels

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.