Jump to content
Welcome to our new Citrix community!

Netscaler gateway VPN- access logs

Nitin George Anand

Recommended Posts

Hi Team,


Good day...


I have 2 years of experience in CITRIX netscaler but I am pretty new to the gateway VPN configuration. let me get in to the question soon. How we can get the auditor logs for the particular VPN URL.

being specific: how can I get the user access logs for a particular VPN URL for a specific period of time (eg: for past one week). 



Details of device:

VPX device

Netscaler NS 11.1 : Build 49.16 nc



Link to comment
Share on other sites

Good News: VPN accesses are logged into the local Syslog.

Bad News: the internal syslog file rolls over every hour (best case)and there's only 26 of them ... so they will be overwritten in just over a day!


So, create a syslog action, pointing it to an EXTERNAL syslog daemon (eg Kiwi), create a "true" policy to invoke it, and bind it to the relevant NGVserver

Link to comment
Share on other sites

Sure, @Paul Blitz is absolutely right. But you can do reports on the built in syslog anyway. First, the number of syslogs stored is configurable, and second you may use zcat to retrieve information.

I had a similar question recently about WAF logs, so I created a tiny shell script. It may be of help to you (just as a suggestion on how to get the data). My customer stores 100 ns.log files and rolls over only if the log file is 100 MB in size (default: 100 KB)



Johannes norz @Citrix_ADC

Link to comment
Share on other sites

I send my NetScaler syslog records to Kiwi. You can then use Kiwi's parsing capability to filter on the records you wish (in your case, SSLVPN LOGIN records). Don't let the SSLVPN confuse you. It is the same for all login records. What you are looking for is the SSLVPN_client_type at the end of the record. It is ICA for ICA proxy traffic and Agent for VPN access.


Here is an actual VPN syslog record:

Nov 28 12:17:01 <local0.info> 10.x.x.x 11/28/2019:17:17:01 GMT ns 0-PPE-0 : default SSLVPN LOGIN 217333 0 : Context sjacobs@100.x.x.x - SessionId: 75- User sjacobs - Client_ip 100.x.x.x - Nat_ip "Mapped Ip" - Vserver 10.x.x.x:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.171" - SSLVPN_client_type Agent - Group(s) "N/A"

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...