Jump to content
Welcome to our new Citrix community!

Balancing incoming SYSLOG messages

Recommended Posts



My case is this. I run rsyslog in my environment (multiple machines). I need to send that traffic to splunk. Splunk consists of multiple receivers (forwarders). I need rsyslog to send to a VIP on netscaler. The VIP would be bound to service group consisting of the splunk receivers.


Ok, so the problem I'm having now is that when rsyslog sends messages to the VIP, the source IP I see in Splunk is that of the Netscaler.


I've seen an article on USIP (https://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/enabling-use-source-ip-mode.html), but that requires the backend servers to be on the same subnet as the Netscalers. That's hard to do.


What's the best solution for this?




Link to comment
Share on other sites



As you have rsyslog , which is UDP , i don't think we have other options.

The only way in your case,   to have the source ip to see the client ip is to use USIP.


When you don't use USIP option and : 

- If your traffic would have been http , you could have used X-Forwarded-for http header to see the client ip

- If your traffic is tcp, you could have used  - CIP enable <magic number>    (https://support.citrix.com/article/CTX205670) .

   This will send the client ip in hex format , in an extra packet after the tcp 3 way handshake to the server side .Your servers will need to be able to extract the client ip from the payload and convert it from hex. 



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...