Jump to content
Welcome to our new Citrix community!

Citrix ADC syslog failed logons

Recommended Posts

  • 5 weeks later...

Local syslog output is located in /var/log/ns.log as the current log output and is controlled by the syslog audit parameters (keep local logging local; use policies to manage external logging).  There are other log files in the /var/log/ directory and you can see if the auth log gives you any details you are looking for if not included in the normal syslog output.


Regular syslog output can be captured by creating an audit policy/action of type syslog with the necessary output type and a syslog destination.

Bind the policy to the system global object to capture all system syslog information (all system audit and all feature/vserver events) to the logging destination.

Or bind the policy to the vpn global or a specific vpn vserver and/or authentication vserver to capture gateway specific events to the logging destination.

In GUI:  System > Audit > Policies (and Actions) node to create policies. Go to vpn vserver or aaa vserver to bind the policies.

Most of the gateway events will be related to the start of AAA events, vpn connection/TCP connection processing, and authorization related events (allow/deny).  If doing this as part of a Gateway/ICA Proxy config you will also see some events related to storefront and sta calls.



If trying to capture everything about the authentication process...it depends. Some things are in syslog like user authentication attempts. Some details aren't like the exact authentication details and authentication errors.  The aaad.debug output is used mostly for troubleshooting and not auditing.


To troubleshoot authentication behavior, you can view authentication events as they occur by viewing the output of the aaad.debug named pipe.


cd /tmp

cat aaad.debug


This isn't a file, but the named pipe (via the cat command) will output external authentication events as they occur. This is useful for troubleshooting issues with external authentication like ldap, radius, and saml authentication events.


You may be able to export output to file for review using following command; but no real output of this exists.

cat aaad.debug > /var/somefile.txt








Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...