Jump to content
Welcome to our new Citrix community!

Transactional Audit logs

Atul Singh

Recommended Posts

How can we collect the audit logs which will have below details -

Client IP + Port + Back-end Real


Requirement - We have bridge mode configured in our env, and few TCP based apps needed Client IP information mapped with backend real & port for auditing purposes.


-Thanks, Atul

Link to comment
Share on other sites

https://support.citrix.com/article/CTX226058 (on tcp logging) and here for general syslog policy info:  https://docs.citrix.com/en-us/citrix-adc/12-1/system/audit-logging/configuring-audit-logging.html


So by default the ADC does not log this info in syslog; but you can enable TCP Logging in the syslog audit parameters or in a syslog audit policy.

You will then get all the TCP connection transaction logs...but this can be a LOT of logging.


If you change the syslog audit parameters, then you change the logging behavior of the default syslog settings of the ADC's local syslog.  Which will generally result in very frequent log rollover; so it may not be desirable as you will get tcp transaction logs for ha communication/gui communication/ and traffic hitting vservers on the ADC.


So it might be preferred to create a syslog action and syslog policy with the TCP Logging enabled, configure it to log to an appropriate external logging location and then bind the tcp transaction logging audit policy to just the vserver(s) that you need logging for (to reduce log information); while leaving the local syslog parameters at the default settings.  (Depending on version, you might have to still use a classic engine syslog policy to bind directly to an lb vserver instead of an advanced engine policy.)


As a possible alternative, for web transactions, you can look at NSWL (former NetScaler Web Logging now Citrix ADC Web Logging...) that can get you web transaction logs to an external listener. Probably won't have any useful info for your ssl_bridge traffic though.


But the syslog policy with TCP logging enabled would get you client ip to vip / snip to destination ip info (including for SSL bridge resources).








Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...