Jump to content
Welcome to our new Citrix community!

Logging for requests to a Load Balanced Virtual Server


Recommended Posts

Hi there,

 

We use a Netscaler MPX to load balance ADFS requests off to the internal ADFS server.   We sometimes have people locking up their passwords as their iPhone or similar still has an old password in it, however I don't know how to find the IP address of the device that's locking up the account.

 

How can I retrospectively monitor the LBVS to see which IP addresses have been hitting it?   Can I simply turn on some logging and then download and review the logs later?

 

Thanks!

 

 

Link to comment
Share on other sites

Hey mate,

Here are a few links to get you started:

https://www.citrix.com/blogs/2011/08/25/log-what-and-when-you-want-%E2%80%93-all-the-way-from-layer-2-to-layer-7/

http://docs.citrix.com/en-us/netscaler/11/system/audit-logging/configuring-audit-logging.html

 

The concept for logging can be summarized as follows:

 

1. Create an 'audit messageaction' which specifies the format of the log strings. (In your case you at least want some policy expressions like CLIENT.IP.SRC in the log string.

2. Create a dummy rewrite or responder policy (doesn't really matter which of the two you use) and set the policies rule to 'TRUE' and  the action to 'NOOP' and the logAction to be your audit messageaction from step 1.

3. Bind that dummy policy to your LB vserver 

4. Lastly, enable 'User defined' audit logging, either via global syslog parameters or via a syslog action + syslog policy combination. (Setting up an external syslog server is highly recommended since external syslog servers have much better user interfaces)

 

If you don't set up an external syslog server, then the auditmessages can be displayed via the 'show auditmessages' command, but the maximum number of auditmessages that can be displayed by this command are the last 255 lines.

 

Hope that helps.

Link to comment
Share on other sites

  • 3 years later...

Have you configured your NetScaler as an ADFS proxy or are you just load balancing across ADFS WAP servers? If it's the former, then you you can insert the client's IP address into the X-MS-Forwarded-Client-IP HTTP header on your NetScaler service group, and then ADFS will include the client IP address in its own operational logs and the Windows security log (some additional local security policies need to be configured in Windows from memory).

 

e.g.

set servicegroup ADFS-SVC-GRP -cip ENABLED X-MS-Forwarded-Client-IP

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...